details: http://hg.nginx.org/nginx/rev/909b5b191f25
branches:
changeset: 6289:909b5b191f25
user: Valentin Bartenev <vbart@nginx.com>
date: Thu Nov 05 15:01:09 2015 +0300
description:
SSL: only select HTTP/2 using NPN if "http2" is enabled.

OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using HTTP/2 even if it wasn't
enabled in configuration.

diffstat:

src/http/ngx_http_request.c | 30 ++++++++++++++++++------------
1 files changed, 18 insertions(+), 12 deletions(-)

diffs (47 lines):

diff -r 0f4b7800e681 -r 909b5b191f25 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Thu Nov 05 15:01:01 2015 +0300
+++ b/src/http/ngx_http_request.c Thu Nov 05 15:01:09 2015 +0300
@@ -768,25 +768,31 @@ ngx_http_ssl_handshake_handler(ngx_conne
&& (defined TLSEXT_TYPE_application_layer_protocol_negotiation \
|| defined TLSEXT_TYPE_next_proto_neg))
{
- unsigned int len;
- const unsigned char *data;
+ unsigned int len;
+ const unsigned char *data;
+ ngx_http_connection_t *hc;
+
+ hc = c->data;
+
+ if (hc->addr_conf->http2) {

#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
- SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+ SSL_get0_alpn_selected(c->ssl->connection, &data, &len);

#ifdef TLSEXT_TYPE_next_proto_neg
- if (len == 0) {
+ if (len == 0) {
+ SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+ }
+#endif
+
+#else /* TLSEXT_TYPE_next_proto_neg */
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
- }
#endif

-#else /* TLSEXT_TYPE_next_proto_neg */
- SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
-#endif
-
- if (len == 2 && data[0] == 'h' && data[1] == '2') {
- ngx_http_v2_init(c->read);
- return;
+ if (len == 2 && data[0] == 'h' && data[1] == '2') {
+ ngx_http_v2_init(c->read);
+ return;
+ }
}
}
#endif

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel