[nginx] SSL: only select SPDY using NPN if "spdy" is enabled.
Maxim Dounin
mdounin at mdounin.ru
Mon Jan 25 19:43:10 UTC 2016
details: http://hg.nginx.org/nginx/rev/5ae5142d39a3
branches: stable-1.8
changeset: 6345:5ae5142d39a3
user: Valentin Bartenev <vbart at nginx.com>
date: Thu Nov 05 15:01:09 2015 +0300
description:
SSL: only select SPDY using NPN if "spdy" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using SPDY even if it wasn't
enabled in configuration.
diffstat:
src/http/ngx_http_request.c | 28 ++++++++++++++++++----------
1 files changed, 18 insertions(+), 10 deletions(-)
diffs (46 lines):
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -770,24 +770,32 @@ ngx_http_ssl_handshake_handler(ngx_conne
{
unsigned int len;
const unsigned char *data;
+ ngx_http_connection_t *hc;
static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
+ hc = c->data;
+
+ if (hc->addr_conf->spdy) {
+
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
- SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+ SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
#ifdef TLSEXT_TYPE_next_proto_neg
- if (len == 0) {
+ if (len == 0) {
+ SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+ }
+#endif
+
+#else /* TLSEXT_TYPE_next_proto_neg */
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
- }
#endif
-#else /* TLSEXT_TYPE_next_proto_neg */
- SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
-#endif
-
- if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) {
- ngx_http_spdy_init(c->read);
- return;
+ if (len == spdy.len
+ && ngx_strncmp(data, spdy.data, spdy.len) == 0)
+ {
+ ngx_http_spdy_init(c->read);
+ return;
+ }
}
}
#endif
More information about the nginx-devel
mailing list