mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-06 17:02:39 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: only select HTTP/2 using NPN if "http2" is enabled.

Browse Source 
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using HTTP/2 even if it wasn't
enabled in configuration.
This commit is contained in:
Valentin Bartenev 2015-11-05 15:01:09 +03:00
parent b22c0e0846
commit 93aef089b4
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/http/ngx_http_request.c
View File

@ -768,25 +768,31 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
&& (defined TLSEXT_TYPE_application_layer_protocol_negotiation \ && (defined TLSEXT_TYPE_application_layer_protocol_negotiation \
|| defined TLSEXT_TYPE_next_proto_neg)) || defined TLSEXT_TYPE_next_proto_neg))
{ {
unsigned int len; unsigned int len;
const unsigned char *data; const unsigned char *data;
ngx_http_connection_t *hc;
hc = c->data;
if (hc->addr_conf->http2) {
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
SSL_get0_alpn_selected(c->ssl->connection, &data, &len); SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
#ifdef TLSEXT_TYPE_next_proto_neg #ifdef TLSEXT_TYPE_next_proto_neg
if (len == 0) { if (len == 0) {
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
} }
#endif #endif
#else /* TLSEXT_TYPE_next_proto_neg */ #else /* TLSEXT_TYPE_next_proto_neg */
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
#endif #endif
if (len == 2 && data[0] == 'h' && data[1] == '2') { if (len == 2 && data[0] == 'h' && data[1] == '2') {
ngx_http_v2_init(c->read); ngx_http_v2_init(c->read);
return; return;
}
} }
} }
#endif #endif