From 43e9607fdf44d66a870db798f1e13031c7511679 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Thu, 5 Nov 2015 15:01:09 +0300 Subject: [PATCH] SSL: only select SPDY using NPN if "spdy" is enabled. OpenSSL doesn't check if the negotiated protocol has been announced. As a result, the client might force using SPDY even if it wasn't enabled in configuration. --- src/http/ngx_http_request.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 9f98799a1..2a62376be 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -770,24 +770,32 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) { unsigned int len; const unsigned char *data; + ngx_http_connection_t *hc; static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED); + hc = c->data; + + if (hc->addr_conf->spdy) { + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - SSL_get0_alpn_selected(c->ssl->connection, &data, &len); + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); #ifdef TLSEXT_TYPE_next_proto_neg - if (len == 0) { - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); - } + if (len == 0) { + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + } #endif #else /* TLSEXT_TYPE_next_proto_neg */ - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) { - ngx_http_spdy_init(c->read); - return; + if (len == spdy.len + && ngx_strncmp(data, spdy.data, spdy.len) == 0) + { + ngx_http_spdy_init(c->read); + return; + } } } #endif