mirror of
https://github.com/nginx/nginx.git
synced 2025-02-25 18:55:26 -06:00
SSL: support for TLSv1.3 early data with BoringSSL.
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is specified in the configuration (default is off). The $ssl_early_data variable evaluates to "1" if the SSL handshake isn't yet completed, and can be used to set the Early-Data header as per draft-ietf-httpbis-replay-04.
This commit is contained in:
Maxim Dounin
parent
9f30fda1c2
commit
3b1589173f
@ -1168,6 +1168,29 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
|
||||||
|
{
|
||||||
|
if (!enable) {
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef SSL_ERROR_EARLY_DATA_REJECTED
|
||||||
|
|
||||||
|
/* BoringSSL */
|
||||||
|
|
||||||
|
SSL_CTX_set_early_data_enabled(ssl->ctx, 1);
|
||||||
|
|
||||||
|
#else
|
||||||
|
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
|
||||||
|
"\"ssl_early_data\" is not supported on this platform, "
|
||||||
|
"ignored");
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
|
ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
|
||||||
{
|
{
|
||||||
@ -3623,6 +3646,21 @@ ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
|
{
|
||||||
|
s->len = 0;
|
||||||
|
|
||||||
|
#ifdef SSL_ERROR_EARLY_DATA_REJECTED
|
||||||
|
if (SSL_in_early_data(c->ssl->connection)) {
|
||||||
|
ngx_str_set(s, "1");
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -171,6 +171,8 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
|||||||
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
|
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
|
||||||
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
||||||
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
|
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
|
||||||
|
ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
|
ngx_uint_t enable);
|
||||||
ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
ngx_uint_t enable);
|
ngx_uint_t enable);
|
||||||
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
||||||
@ -213,6 +215,8 @@ ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
|
|||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
|
ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
|||||||
@ -239,6 +239,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|||||||
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
|
||||||
NULL },
|
NULL },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_early_data"),
|
||||||
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
||||||
|
ngx_conf_set_flag_slot,
|
||||||
|
NGX_HTTP_SRV_CONF_OFFSET,
|
||||||
|
offsetof(ngx_http_ssl_srv_conf_t, early_data),
|
||||||
|
NULL },
|
||||||
|
|
||||||
ngx_null_command
|
ngx_null_command
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -294,6 +301,10 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|||||||
{ ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
|
{ ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
|
||||||
(uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
|
||||||
|
(uintptr_t) ngx_ssl_get_early_data,
|
||||||
|
NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
|
||||||
|
|
||||||
{ ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
|
{ ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
|
||||||
(uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
@ -552,6 +563,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||||||
|
|
||||||
sscf->enable = NGX_CONF_UNSET;
|
sscf->enable = NGX_CONF_UNSET;
|
||||||
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
||||||
|
sscf->early_data = NGX_CONF_UNSET;
|
||||||
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
|
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
|
||||||
sscf->verify = NGX_CONF_UNSET_UINT;
|
sscf->verify = NGX_CONF_UNSET_UINT;
|
||||||
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
||||||
@ -594,6 +606,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
||||||
prev->prefer_server_ciphers, 0);
|
prev->prefer_server_ciphers, 0);
|
||||||
|
|
||||||
|
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
|
||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
||||||
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
||||||
@ -809,6 +823,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
|
||||||
|
return NGX_CONF_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
return NGX_CONF_OK;
|
return NGX_CONF_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -20,6 +20,7 @@ typedef struct {
|
|||||||
ngx_ssl_t ssl;
|
ngx_ssl_t ssl;
|
||||||
|
|
||||||
ngx_flag_t prefer_server_ciphers;
|
ngx_flag_t prefer_server_ciphers;
|
||||||
|
ngx_flag_t early_data;
|
||||||
|
|
||||||
ngx_uint_t protocols;
|
ngx_uint_t protocols;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user