diff options
author | Valentin Bartenev <vbart@nginx.com> | 2015-11-05 15:01:09 +0300 |
---|---|---|
committer | Valentin Bartenev <vbart@nginx.com> | 2015-11-05 15:01:09 +0300 |
commit | 43e9607fdf44d66a870db798f1e13031c7511679 (patch) | |
tree | cef61f8ca092f1f5b28700b3256649928f3fbb3e | |
parent | d4cd59c17b003dfbc121e48473dd2604e76c7fdf (diff) | |
download | nginx-43e9607fdf44d66a870db798f1e13031c7511679.tar.gz |
SSL: only select SPDY using NPN if "spdy" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using SPDY even if it wasn't
enabled in configuration.
-rw-r--r-- | src/http/ngx_http_request.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 9f98799a1..2a62376be 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -770,24 +770,32 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) { unsigned int len; const unsigned char *data; + ngx_http_connection_t *hc; static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED); + hc = c->data; + + if (hc->addr_conf->spdy) { + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - SSL_get0_alpn_selected(c->ssl->connection, &data, &len); + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); #ifdef TLSEXT_TYPE_next_proto_neg - if (len == 0) { - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); - } + if (len == 0) { + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + } #endif #else /* TLSEXT_TYPE_next_proto_neg */ - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) { - ngx_http_spdy_init(c->read); - return; + if (len == spdy.len + && ngx_strncmp(data, spdy.data, spdy.len) == 0) + { + ngx_http_spdy_init(c->read); + return; + } } } #endif |