Add basic ECH shared-mode via OpenSSL.

author: sftcd <stephen.farrell@cs.tcd.ie> 2025-11-26 14:12:07 +0000
committer: Roman Arutyunyan <arutyunyan.roman@gmail.com> 2025-12-01 16:33:40 +0400
commit: ab4f5b2d32c1f621ebdf5816a34b568015b98c63 (patch)
tree: a2468ce46360587635183191db34da55126ae55d /src/http/modules/ngx_http_ssl_module.c
parent: bcb41c91939009b7d01074c9a8f3cef1da13ec50 (diff)
download: nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.gz
nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.bz2
1 files changed, 21 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index c71a5de08..43fcafd50 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -117,6 +117,13 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
       0,
       NULL },
 
+    { ngx_string("ssl_ech_file"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_array_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, ech_files),
+      NULL },
+
     { ngx_string("ssl_password_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
       ngx_http_ssl_password_file,
@@ -377,6 +384,13 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_ech_status"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_ech_status, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
@@ -643,6 +657,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
     sscf->certificates = NGX_CONF_UNSET_PTR;
     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
     sscf->certificate_cache = NGX_CONF_UNSET_PTR;
+    sscf->ech_files = NGX_CONF_UNSET_PTR;
     sscf->passwords = NGX_CONF_UNSET_PTR;
     sscf->conf_commands = NGX_CONF_UNSET_PTR;
     sscf->builtin_session_cache = NGX_CONF_UNSET;
@@ -694,6 +709,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                          NULL);
 
+    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
+
     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
 
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -880,6 +897,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         return NGX_CONF_ERROR;
     }
 
+    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
author	sftcd <stephen.farrell@cs.tcd.ie>	2025-11-26 14:12:07 +0000
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>	2025-12-01 16:33:40 +0400
commit	ab4f5b2d32c1f621ebdf5816a34b568015b98c63 (patch)
tree	a2468ce46360587635183191db34da55126ae55d /src/http/modules/ngx_http_ssl_module.c
parent	bcb41c91939009b7d01074c9a8f3cef1da13ec50 (diff)
download	nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.gz nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.bz2