[PATCH] SSL: support ALPN (IETF's successor to NPN)
piotr at cloudflare.com
Thu Nov 14 00:36:06 UTC 2013
> I'm very unhappy with lots of #if(def)-s are introduced by the patch.
> Is there something can be done with that?
Added code depends on presence of ALPN support in OpenSSL, so I don't
see how we could get away without all those #ifdefs... I'm open to
suggestions, though :)
> But the SSL_select_next_proto() function is missing if OpenSSL was built
> with OPENSSL_NO_NEXTPROTONEG.
Good catch, I totally forgot about this... I've sent a patch  for
this to OpenSSL guys months ago and it was supposed to be fixed before
ALPN was backported to OpenSSL-1.0.2, but I guess it didn't happen.
I'll try to sort this out as soon as possible.
> Maybe I'm wrong since English isn't my native language, but should it be:
> "nginx was built without OpenSSL ALPN or NPN " (s/and/or/)
Neither am I, but not really. Double negation makes this tricky, but
"or" would mean that it was built with one but not both, whereas "and"
means that it was built with neither.
> I'm not sure that we need to check NPN if from ALPN we know that some protocol
> was selected and it's not spdy.
I'll get back to you with updated patch once fix for "no-nextprotoneg"
lands in OpenSSL-1.0.2.
 https://rt.openssl.org/Ticket/Display.html?id=3106 (guest:guest)
More information about the nginx-devel