Welcome! Log In Create A New Profile

Advanced

[nginx] HTTP: connections with wrong ALPN protocols are now rejected.

Previous Message Next Message
Forum List Message List New Topic Print View
Vladimir Homutov
October 20, 2021 01:28PM
details: https://hg.nginx.org/nginx/rev/db6b630e6086
branches:
changeset: 7937:db6b630e6086
user: Vladimir Homutov <vl@nginx.com>
date: Wed Oct 20 09:50:02 2021 +0300
description:
HTTP: connections with wrong ALPN protocols are now rejected.

This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

To avoid possible negative effects, list of supported protocols
was extended to include all possible HTTP protocol ALPN IDs
registered by IANA [2], i.e. "http/1.0" and "http/0.9".

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/

diffstat:

src/http/modules/ngx_http_ssl_module.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)

diffs (39 lines):

diff -r b9e02e9b2f1d -r db6b630e6086 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Oct 19 12:19:59 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Oct 20 09:50:02 2021 +0300
@@ -17,7 +17,7 @@ typedef ngx_int_t (*ngx_ssl_variable_han
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
#define NGX_DEFAULT_ECDH_CURVE "auto"

-#define NGX_HTTP_ALPN_PROTO "\x08http/1.1"
+#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"


#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@@ -442,21 +442,20 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t
hc = c->data;

if (hc->addr_conf->http2) {
- srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO;
- srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO) - 1;
-
+ srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
+ srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
} else
#endif
{
- srv = (unsigned char *) NGX_HTTP_ALPN_PROTO;
- srvlen = sizeof(NGX_HTTP_ALPN_PROTO) - 1;
+ srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
+ srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
}

if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
in, inlen)
!= OPENSSL_NPN_NEGOTIATED)
{
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}

ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] HTTP: connections with wrong ALPN protocols are now rejected.

Vladimir Homutov 227 October 20, 2021 01:28PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 289
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready