[nginx] Stream: the "ssl_alpn" directive.
Vladimir Homutov
vl at nginx.com
Wed Oct 20 17:27:33 UTC 2021
details: https://hg.nginx.org/nginx/rev/b9e02e9b2f1d
branches:
changeset: 7936:b9e02e9b2f1d
user: Vladimir Homutov <vl at nginx.com>
date: Tue Oct 19 12:19:59 2021 +0300
description:
Stream: the "ssl_alpn" directive.
The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.
diffstat:
src/event/ngx_event_openssl.c | 3 +
src/stream/ngx_stream_ssl_module.c | 117 +++++++++++++++++++++++++++++++++++++
src/stream/ngx_stream_ssl_module.h | 1 +
3 files changed, 121 insertions(+), 0 deletions(-)
diffs (200 lines):
diff -r eb6c77e6d55d -r b9e02e9b2f1d src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Oct 14 11:46:23 2021 +0300
+++ b/src/event/ngx_event_openssl.c Tue Oct 19 12:19:59 2021 +0300
@@ -3134,6 +3134,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_CALLBACK_FAILED
|| n == SSL_R_CALLBACK_FAILED /* 234 */
#endif
+#ifdef SSL_R_NO_APPLICATION_PROTOCOL
+ || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */
+#endif
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
diff -r eb6c77e6d55d -r b9e02e9b2f1d src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Thu Oct 14 11:46:23 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Tue Oct 19 12:19:59 2021 +0300
@@ -25,6 +25,11 @@ static void ngx_stream_ssl_handshake_han
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
+ const unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg);
+#endif
#ifdef SSL_R_CERT_CB_ERROR
static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg);
#endif
@@ -45,6 +50,8 @@ static char *ngx_stream_ssl_password_fil
void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+static char *ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
@@ -211,6 +218,13 @@ static ngx_command_t ngx_stream_ssl_com
offsetof(ngx_stream_ssl_conf_t, conf_commands),
&ngx_stream_ssl_conf_command_post },
+ { ngx_string("ssl_alpn"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
+ ngx_stream_ssl_alpn,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ 0,
+ NULL },
+
ngx_null_command
};
@@ -446,6 +460,46 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t
#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+
+static int
+ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
+ unsigned char *outlen, const unsigned char *in, unsigned int inlen,
+ void *arg)
+{
+ ngx_str_t *alpn;
+#if (NGX_DEBUG)
+ unsigned int i;
+ ngx_connection_t *c;
+
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ for (i = 0; i < inlen; i += in[i] + 1) {
+ ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
+ "SSL ALPN supported by client: %*s",
+ (size_t) in[i], &in[i + 1]);
+ }
+
+#endif
+
+ alpn = arg;
+
+ if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data,
+ alpn->len, in, inlen)
+ != OPENSSL_NPN_NEGOTIATED)
+ {
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
+ "SSL ALPN selected: %*s", (size_t) *outlen, *out);
+
+ return SSL_TLSEXT_ERR_OK;
+}
+
+#endif
+
+
#ifdef SSL_R_CERT_CB_ERROR
int
@@ -605,6 +659,7 @@ ngx_stream_ssl_create_conf(ngx_conf_t *c
* scf->client_certificate = { 0, NULL };
* scf->trusted_certificate = { 0, NULL };
* scf->crl = { 0, NULL };
+ * scf->alpn = { 0, NULL };
* scf->ciphers = { 0, NULL };
* scf->shm_zone = NULL;
*/
@@ -663,6 +718,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_conf_merge_str_value(conf->trusted_certificate,
prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
+ ngx_conf_merge_str_value(conf->alpn, prev->alpn, "");
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
NGX_DEFAULT_ECDH_CURVE);
@@ -723,6 +779,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_stream_ssl_servername);
#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+ if (conf->alpn.len) {
+ SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select,
+ &conf->alpn);
+ }
+#endif
+
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
@@ -1060,6 +1123,60 @@ invalid:
static char *
+ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+
+ ngx_stream_ssl_conf_t *scf = conf;
+
+ u_char *p;
+ size_t len;
+ ngx_str_t *value;
+ ngx_uint_t i;
+
+ if (scf->alpn.len) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ len = 0;
+
+ for (i = 1; i < cf->args->nelts; i++) {
+
+ if (value[i].len > 255) {
+ return "protocol too long";
+ }
+
+ len += value[i].len + 1;
+ }
+
+ scf->alpn.data = ngx_pnalloc(cf->pool, len);
+ if (scf->alpn.data == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ p = scf->alpn.data;
+
+ for (i = 1; i < cf->args->nelts; i++) {
+ *p++ = value[i].len;
+ p = ngx_cpymem(p, value[i].data, value[i].len);
+ }
+
+ scf->alpn.len = len;
+
+ return NGX_CONF_OK;
+
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "the \"ssl_alpn\" directive requires OpenSSL "
+ "with ALPN support");
+ return NGX_CONF_ERROR;
+#endif
+}
+
+
+static char *
ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
diff -r eb6c77e6d55d -r b9e02e9b2f1d src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h Thu Oct 14 11:46:23 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.h Tue Oct 19 12:19:59 2021 +0300
@@ -42,6 +42,7 @@ typedef struct {
ngx_str_t client_certificate;
ngx_str_t trusted_certificate;
ngx_str_t crl;
+ ngx_str_t alpn;
ngx_str_t ciphers;
More information about the nginx-devel
mailing list