[PATCH] SSL: support ALPN (IETF's successor to NPN)

Piotr Sikora piotr at cloudflare.com
Tue Jan 28 23:34:39 UTC 2014


Hey Valentin,

> These conditions look very excessive.  I think we could leave this definition
> without them.

Done.

> I've checked out some references and it looks like I was right.
>
> See here for example:
> http://www.esl-library.com/blog/2013/07/25/or-or-and-in-negative-sentences/
> http://forum.wordreference.com/showthread.php?t=577487&p=3234156#post3234156

OK, let's do it your way.

> It seems to me, this part looks cleaner if you will avoid duplication
> of spdy check:

Yeah, you're right... I actually have something very similar in our
internal tree, but that's because we're also rejecting unsupported
application protocols:
http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003605.html

> Same here.  Let's just remove preprocessor condition at all.

Done.

Best regards,
Piotr Sikora


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1390952029 28800
#      Tue Jan 28 15:33:49 2014 -0800
# Node ID f1b9281e85396409f1c56fc76637d39e6893abc8
# Parent  fdb67cfc957d110ea887961cc8c08a590df5f62c
SSL: support ALPN (IETF's successor to NPN).

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r fdb67cfc957d -r f1b9281e8539 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Jan 28 15:40:46 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Tue Jan 28 15:33:49 2014 -0800
@@ -17,6 +17,14 @@ typedef ngx_int_t (*ngx_ssl_variable_han
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
 #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"

+#define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+
+
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
+    const unsigned char **out, unsigned char *outlen,
+    const unsigned char *in, unsigned int inlen, void *arg);
+#endif

 #ifdef TLSEXT_TYPE_next_proto_neg
 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
@@ -288,10 +296,66 @@ static ngx_http_variable_t  ngx_http_ssl
 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");


+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+
+static int
+ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
+    unsigned char *outlen, const unsigned char *in, unsigned int inlen,
+    void *arg)
+{
+    unsigned int            srvlen;
+    unsigned char          *srv;
+#if (NGX_DEBUG)
+    unsigned int            i;
+#endif
+#if (NGX_HTTP_SPDY)
+    ngx_http_connection_t  *hc;
+#endif
+#if (NGX_HTTP_SPDY || NGX_DEBUG)
+    ngx_connection_t       *c;
+
+    c = ngx_ssl_get_connection(ssl_conn);
+#endif
+
+#if (NGX_DEBUG)
+    for (i = 0; i < inlen; i += in[i] + 1) {
+         ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                        "SSL ALPN supported by client: %*s", in[i],
&in[i + 1]);
+    }
+#endif
+
+#if (NGX_HTTP_SPDY)
+    hc = c->data;
+
+    if (hc->addr_conf->spdy) {
+        srv = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
+        srvlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
+
+    } else
+#endif
+    {
+        srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
+        srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
+    }
+
+    if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
+                              in, inlen)
+        != OPENSSL_NPN_NEGOTIATED)
+    {
+        return SSL_TLSEXT_ERR_NOACK;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "SSL ALPN selected: %*s", *outlen, *out);
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
+#endif
+
+
 #ifdef TLSEXT_TYPE_next_proto_neg

-#define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
-
 static int
 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
     const unsigned char **out, unsigned int *outlen, void *arg)
@@ -561,6 +625,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *

 #endif

+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+    SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
+#endif
+
 #ifdef TLSEXT_TYPE_next_proto_neg
     SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
                                           ngx_http_ssl_npn_advertised, NULL);
diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http.c
--- a/src/http/ngx_http.c Tue Jan 28 15:40:46 2014 +0400
+++ b/src/http/ngx_http.c Tue Jan 28 15:33:49 2014 -0800
@@ -1349,11 +1349,13 @@ ngx_http_add_address(ngx_conf_t *cf, ngx
         }
     }

-#if (NGX_HTTP_SPDY && NGX_HTTP_SSL && !defined TLSEXT_TYPE_next_proto_neg)
+#if (NGX_HTTP_SPDY && NGX_HTTP_SSL                                            \
+     && !defined TLSEXT_TYPE_application_layer_protocol_negotiation           \
+     && !defined TLSEXT_TYPE_next_proto_neg)
     if (lsopt->spdy && lsopt->ssl) {
         ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
-                           "nginx was built without OpenSSL NPN support, "
-                           "SPDY is not enabled for %s", lsopt->addr);
+                           "nginx was built without OpenSSL ALPN or NPN "
+                           "support, SPDY is not enabled for %s", lsopt->addr);
     }
 #endif

diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Tue Jan 28 15:40:46 2014 +0400
+++ b/src/http/ngx_http_request.c Tue Jan 28 15:33:49 2014 -0800
@@ -705,13 +705,25 @@ ngx_http_ssl_handshake_handler(ngx_conne

         c->ssl->no_wait_shutdown = 1;

-#if (NGX_HTTP_SPDY && defined TLSEXT_TYPE_next_proto_neg)
+#if (NGX_HTTP_SPDY                                                            \
+     && (defined TLSEXT_TYPE_application_layer_protocol_negotiation           \
+         || defined TLSEXT_TYPE_next_proto_neg))
         {
         unsigned int             len;
         const unsigned char     *data;
         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);

-        SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+        len = 0;
+
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+        SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+#endif
+
+#ifdef TLSEXT_TYPE_next_proto_neg
+        if (len == 0) {
+            SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+        }
+#endif

         if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) {
             ngx_http_spdy_init(c->read);
diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http_spdy.h
--- a/src/http/ngx_http_spdy.h Tue Jan 28 15:40:46 2014 +0400
+++ b/src/http/ngx_http_spdy.h Tue Jan 28 15:33:49 2014 -0800
@@ -17,10 +17,8 @@

 #define NGX_SPDY_VERSION              2

-#ifdef TLSEXT_TYPE_next_proto_neg
 #define NGX_SPDY_NPN_ADVERTISE        "\x06spdy/2"
 #define NGX_SPDY_NPN_NEGOTIATED       "spdy/2"
-#endif

 #define NGX_SPDY_STATE_BUFFER_SIZE    16



More information about the nginx-devel mailing list