SSL: only select HTTP/2 using NPN if "http2" is enabled.

OpenSSL doesn't check if the negotiated protocol has been announced. As a result, the client might force using HTTP/2 even if it wasn't enabled in configuration.
ezmorph · Nov 5, 2015 · 93aef08 · 93aef08
1 parent b22c0e0
commit 93aef08
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
@@ -768,25 +768,31 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
      && (defined TLSEXT_TYPE_application_layer_protocol_negotiation           \
          || defined TLSEXT_TYPE_next_proto_neg))
         {
-        unsigned int          len;
-        const unsigned char  *data;
+        unsigned int            len;
+        const unsigned char    *data;
+        ngx_http_connection_t  *hc;
+
+        hc = c->data;
+
+        if (hc->addr_conf->http2) {
 
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-        SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+            SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
 
 #ifdef TLSEXT_TYPE_next_proto_neg
-        if (len == 0) {
-            SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
-        }
+            if (len == 0) {
+                SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+            }
 #endif
 
 #else /* TLSEXT_TYPE_next_proto_neg */
-        SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+            SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
 #endif
 
-        if (len == 2 && data[0] == 'h' && data[1] == '2') {
-            ngx_http_v2_init(c->read);
-            return;
+            if (len == 2 && data[0] == 'h' && data[1] == '2') {
+                ngx_http_v2_init(c->read);
+                return;
+            }
         }
         }
 #endif