SSL: only select SPDY using NPN if "spdy" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced. As a result, the client might force using SPDY even if it wasn't enabled in configuration.
This commit is contained in:
parent
f38b4d5a56
commit
144aa35280
|
@ -770,24 +770,32 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
|
|||
{
|
||||
unsigned int len;
|
||||
const unsigned char *data;
|
||||
ngx_http_connection_t *hc;
|
||||
static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
|
||||
|
||||
hc = c->data;
|
||||
|
||||
if (hc->addr_conf->spdy) {
|
||||
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
|
||||
SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
|
||||
|
||||
#ifdef TLSEXT_TYPE_next_proto_neg
|
||||
if (len == 0) {
|
||||
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
|
||||
}
|
||||
if (len == 0) {
|
||||
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
|
||||
}
|
||||
#endif
|
||||
|
||||
#else /* TLSEXT_TYPE_next_proto_neg */
|
||||
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
|
||||
SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
|
||||
#endif
|
||||
|
||||
if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) {
|
||||
ngx_http_spdy_init(c->read);
|
||||
return;
|
||||
if (len == spdy.len
|
||||
&& ngx_strncmp(data, spdy.data, spdy.len) == 0)
|
||||
{
|
||||
ngx_http_spdy_init(c->read);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue