[PATCH] SSL: support ALPN (IETF's successor to NPN)

Piotr Sikora piotr at cloudflare.com
Thu Nov 14 00:36:06 UTC 2013

Hey Valentin,

> I'm very unhappy with lots of #if(def)-s are introduced by the patch.
> Is there something can be done with that?

Added code depends on presence of ALPN support in OpenSSL, so I don't
see how we could get away without all those #ifdefs... I'm open to
suggestions, though :)

> But the SSL_select_next_proto() function is missing if OpenSSL was built

Good catch, I totally forgot about this... I've sent a patch [0] for
this to OpenSSL guys months ago and it was supposed to be fixed before
ALPN was backported to OpenSSL-1.0.2, but I guess it didn't happen.

I'll try to sort this out as soon as possible.

> Maybe I'm wrong since English isn't my native language, but should it be:
>   "nginx was built without OpenSSL ALPN or NPN " (s/and/or/)
> ?

Neither am I, but not really. Double negation makes this tricky, but
"or" would mean that it was built with one but not both, whereas "and"
means that it was built with neither.

> I'm not sure that we need to check NPN if from ALPN we know that some protocol
> was selected and it's not spdy.

Makes sense.

I'll get back to you with updated patch once fix for "no-nextprotoneg"
lands in OpenSSL-1.0.2.

[0] https://rt.openssl.org/Ticket/Display.html?id=3106 (guest:guest)

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list