Mercurial > hg > nginx
changeset 6345:5ae5142d39a3 stable-1.8
SSL: only select SPDY using NPN if "spdy" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using SPDY even if it wasn't
enabled in configuration.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Thu, 05 Nov 2015 15:01:09 +0300 |
parents | a8ecb0a2193f |
children | e9a4531a2a5d |
files | src/http/ngx_http_request.c |
diffstat | 1 files changed, 16 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_request.c Fri Oct 30 21:43:30 2015 +0300 +++ b/src/http/ngx_http_request.c Thu Nov 05 15:01:09 2015 +0300 @@ -770,24 +770,32 @@ { unsigned int len; const unsigned char *data; + ngx_http_connection_t *hc; static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED); + hc = c->data; + + if (hc->addr_conf->spdy) { + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - SSL_get0_alpn_selected(c->ssl->connection, &data, &len); + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); #ifdef TLSEXT_TYPE_next_proto_neg - if (len == 0) { - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); - } + if (len == 0) { + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + } #endif #else /* TLSEXT_TYPE_next_proto_neg */ - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) { - ngx_http_spdy_init(c->read); - return; + if (len == spdy.len + && ngx_strncmp(data, spdy.data, spdy.len) == 0) + { + ngx_http_spdy_init(c->read); + return; + } } } #endif