From 9b03c64f68077fb54a68b4cae9fe35ca1d0a00ed Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 8 Sep 2018 19:22:30 +0900 Subject: [PATCH] nghttpx: Should postpone early data by default --- gennghttpxfun.py | 2 +- src/shrpx.cc | 19 ++++++++++--------- src/shrpx_config.cc | 14 +++++++------- src/shrpx_config.h | 12 ++++++------ src/shrpx_connection.cc | 4 ++-- 5 files changed, 26 insertions(+), 25 deletions(-) diff --git a/gennghttpxfun.py b/gennghttpxfun.py index e0d36391..344b4308 100755 --- a/gennghttpxfun.py +++ b/gennghttpxfun.py @@ -170,7 +170,7 @@ OPTIONS = [ "no-verify-ocsp", "verify-client-tolerate-expired", "ignore-per-pattern-mruby-error", - "tls-postpone-early-data", + "tls-no-postpone-early-data", "tls-max-early-data", ] diff --git a/src/shrpx.cc b/src/shrpx.cc index 52a7b2af..56819af3 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2371,12 +2371,13 @@ SSL/TLS: HTTP/2. To use those cipher suites with HTTP/2, consider to use --client-no-http2-cipher-black-list option. But be aware its implications. - --tls-postpone-early-data - Postpone forwarding HTTP requests sent in early data, - including those sent in partially in it, until TLS - handshake finishes. This option must be used to - mitigate possible replay attack unless all backend - servers recognize "Early-Data" header field. + --tls-no-postpone-early-data + By default, nghttpx postpones forwarding HTTP requests + sent in early data, including those sent in partially in + it, until TLS handshake finishes. If all backend server + recognizes "Early-Data" header field, using this option + makes nghttpx not postpone forwarding request and get + full potential of 0-RTT data. --tls-max-early-data= Sets the maximum amount of 0-RTT data that server accepts. @@ -3448,7 +3449,7 @@ int main(int argc, char **argv) { 160}, {SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR.c_str(), no_argument, &flag, 161}, - {SHRPX_OPT_TLS_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162}, + {SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162}, {SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163}, {nullptr, 0, nullptr, 0}}; @@ -4222,8 +4223,8 @@ int main(int argc, char **argv) { StringRef::from_lit("yes")); break; case 162: - // --tls-postpone-early-data - cmdcfgs.emplace_back(SHRPX_OPT_TLS_POSTPONE_EARLY_DATA, + // --tls-no-postpone-early-data + cmdcfgs.emplace_back(SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA, StringRef::from_lit("yes")); break; case 163: diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index ddf2abdc..336df42f 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -2045,11 +2045,6 @@ int option_lookup_token(const char *name, size_t namelen) { break; case 23: switch (name[22]) { - case 'a': - if (util::strieq_l("tls-postpone-early-dat", name, 22)) { - return SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA; - } - break; case 'e': if (util::strieq_l("client-private-key-fil", name, 22)) { return SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE; @@ -2124,6 +2119,11 @@ int option_lookup_token(const char *name, size_t namelen) { break; case 26: switch (name[25]) { + case 'a': + if (util::strieq_l("tls-no-postpone-early-dat", name, 25)) { + return SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA; + } + break; case 'e': if (util::strieq_l("frontend-http2-window-siz", name, 25)) { return SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE; @@ -3601,8 +3601,8 @@ int parse_config(Config *config, int optid, const StringRef &opt, config->ignore_per_pattern_mruby_error = util::strieq_l("yes", optarg); return 0; - case SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA: - config->tls.postpone_early_data = util::strieq_l("yes", optarg); + case SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA: + config->tls.no_postpone_early_data = util::strieq_l("yes", optarg); return 0; case SHRPX_OPTID_TLS_MAX_EARLY_DATA: { diff --git a/src/shrpx_config.h b/src/shrpx_config.h index c8987974..2dd35b0b 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -347,8 +347,8 @@ constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = StringRef::from_lit("verify-client-tolerate-expired"); constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = StringRef::from_lit("ignore-per-pattern-mruby-error"); -constexpr auto SHRPX_OPT_TLS_POSTPONE_EARLY_DATA = - StringRef::from_lit("tls-postpone-early-data"); +constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA = + StringRef::from_lit("tls-no-postpone-early-data"); constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = StringRef::from_lit("tls-max-early-data"); @@ -662,9 +662,9 @@ struct TLSConfig { int max_proto_version; bool insecure; bool no_http2_cipher_black_list; - // true if forwarding requests included in TLS early data should be - // postponed until TLS handshake finishes. - bool postpone_early_data; + // true if forwarding requests included in TLS early data should not + // be postponed until TLS handshake finishes. + bool no_postpone_early_data; }; // custom error page @@ -1126,7 +1126,7 @@ enum { SHRPX_OPTID_TLS_MAX_EARLY_DATA, SHRPX_OPTID_TLS_MAX_PROTO_VERSION, SHRPX_OPTID_TLS_MIN_PROTO_VERSION, - SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA, + SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA, SHRPX_OPTID_TLS_PROTO_LIST, SHRPX_OPTID_TLS_SCT_DIR, SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 3e5c67c3..05572698 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -408,7 +408,7 @@ int Connection::tls_handshake() { // server waits for EndOfEarlyData and Finished message from // client, which voids the purpose of 0-RTT data. The left // over of handshake is done through write_tls or read_tls. - if (!tlsconf.postpone_early_data && + if (tlsconf.no_postpone_early_data && (tls.handshake_state == TLS_CONN_WRITE_STARTED || tls.wbuf.rleft()) && tls.earlybuf.rleft()) { @@ -431,7 +431,7 @@ int Connection::tls_handshake() { } tls.early_data_finish = true; // The same reason stated above. - if (!tlsconf.postpone_early_data && + if (tlsconf.no_postpone_early_data && (tls.handshake_state == TLS_CONN_WRITE_STARTED || tls.wbuf.rleft()) && tls.earlybuf.rleft()) {