diff options
| author | Vladimir Homutov <vl@nginx.com> | 2021-11-03 13:36:21 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2021-11-03 13:36:21 +0300 |
| commit | 0572c2a69f4edef04e3babdb6f9ef18ff52a9619 (patch) | |
| tree | cec18af1b5170b6e85719a811f410e29d2b74033 /src/event/quic/ngx_event_quic_ssl.c | |
| parent | 5f9c4e15a398bc10e23c7d366d181380135e2503 (diff) | |
| download | nginx-0572c2a69f4edef04e3babdb6f9ef18ff52a9619.tar.gz nginx-0572c2a69f4edef04e3babdb6f9ef18ff52a9619.tar.bz2 | |
QUIC: connections with wrong ALPN protocols are now rejected.
Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.
Since ALPN is always required, the 'require_alpn' setting is now obsolete.
Diffstat (limited to '')
| -rw-r--r-- | src/event/quic/ngx_event_quic_ssl.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c index 8899bc626..839bb3161 100644 --- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, ngx_connection_t *c; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; +#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) + unsigned int alpn_len; + const unsigned char *alpn_data; +#endif c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); qc = ngx_quic_get_connection(c); @@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, */ #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) - if (qc->conf->require_alpn) { - unsigned int len; - const unsigned char *data; - SSL_get0_alpn_selected(ssl_conn, &data, &len); + SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len); - if (len == 0) { - qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; - qc->error_reason = "unsupported protocol in ALPN extension"; + if (alpn_len == 0) { + qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; + qc->error_reason = "unsupported protocol in ALPN extension"; + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic unsupported protocol in ALPN extension"); + return 0; + } - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic unsupported protocol in ALPN extension"); - return 0; - } - } #endif SSL_get_peer_quic_transport_params(ssl_conn, &client_params, |