walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Should postpone early data by default

This commit is contained in:
Tatsuhiro Tsujikawa 2018-09-08 19:22:30 +09:00
parent b8eccec62d
commit 9b03c64f68
5 changed files with 26 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gennghttpxfun.py
View File

@ -170,7 +170,7 @@ OPTIONS = [
"no-verify-ocsp", "no-verify-ocsp",
"verify-client-tolerate-expired", "verify-client-tolerate-expired",
"ignore-per-pattern-mruby-error", "ignore-per-pattern-mruby-error",
"tls-postpone-early-data", "tls-no-postpone-early-data",
"tls-max-early-data", "tls-max-early-data",
] ]

19
src/shrpx.cc
View File

@ -2371,12 +2371,13 @@ SSL/TLS:
HTTP/2. To use those cipher suites with HTTP/2, HTTP/2. To use those cipher suites with HTTP/2,
consider to use --client-no-http2-cipher-black-list consider to use --client-no-http2-cipher-black-list
option. But be aware its implications. option. But be aware its implications.
--tls-postpone-early-data --tls-no-postpone-early-data
Postpone forwarding HTTP requests sent in early data, By default, nghttpx postpones forwarding HTTP requests
including those sent in partially in it, until TLS sent in early data, including those sent in partially in
handshake finishes. This option must be used to it, until TLS handshake finishes. If all backend server
mitigate possible replay attack unless all backend recognizes "Early-Data" header field, using this option
servers recognize "Early-Data" header field. makes nghttpx not postpone forwarding request and get
full potential of 0-RTT data.
--tls-max-early-data=<SIZE> --tls-max-early-data=<SIZE>
Sets the maximum amount of 0-RTT data that server Sets the maximum amount of 0-RTT data that server
accepts. accepts.
@ -3448,7 +3449,7 @@ int main(int argc, char **argv) {
160}, 160},
{SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR.c_str(), no_argument, &flag, {SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR.c_str(), no_argument, &flag,
161}, 161},
{SHRPX_OPT_TLS_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162}, {SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163}, {SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
{nullptr, 0, nullptr, 0}}; {nullptr, 0, nullptr, 0}};
@ -4222,8 +4223,8 @@ int main(int argc, char **argv) {
StringRef::from_lit("yes")); StringRef::from_lit("yes"));
break; break;
case 162: case 162:
// --tls-postpone-early-data // --tls-no-postpone-early-data
cmdcfgs.emplace_back(SHRPX_OPT_TLS_POSTPONE_EARLY_DATA, cmdcfgs.emplace_back(SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA,
StringRef::from_lit("yes")); StringRef::from_lit("yes"));
break; break;
case 163: case 163:

14
src/shrpx_config.cc
View File

@ -2045,11 +2045,6 @@ int option_lookup_token(const char *name, size_t namelen) {
break; break;
case 23: case 23:
switch (name[22]) { switch (name[22]) {
case 'a':
if (util::strieq_l("tls-postpone-early-dat", name, 22)) {
return SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA;
}
break;
case 'e': case 'e':
if (util::strieq_l("client-private-key-fil", name, 22)) { if (util::strieq_l("client-private-key-fil", name, 22)) {
return SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE; return SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE;
@ -2124,6 +2119,11 @@ int option_lookup_token(const char *name, size_t namelen) {
break; break;
case 26: case 26:
switch (name[25]) { switch (name[25]) {
case 'a':
if (util::strieq_l("tls-no-postpone-early-dat", name, 25)) {
return SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA;
}
break;
case 'e': case 'e':
if (util::strieq_l("frontend-http2-window-siz", name, 25)) { if (util::strieq_l("frontend-http2-window-siz", name, 25)) {
return SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE; return SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE;
@ -3601,8 +3601,8 @@ int parse_config(Config *config, int optid, const StringRef &opt,
config->ignore_per_pattern_mruby_error = util::strieq_l("yes", optarg); config->ignore_per_pattern_mruby_error = util::strieq_l("yes", optarg);
return 0; return 0;
case SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA: case SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA:
config->tls.postpone_early_data = util::strieq_l("yes", optarg); config->tls.no_postpone_early_data = util::strieq_l("yes", optarg);
return 0; return 0;
case SHRPX_OPTID_TLS_MAX_EARLY_DATA: { case SHRPX_OPTID_TLS_MAX_EARLY_DATA: {

12
src/shrpx_config.h
View File

@ -347,8 +347,8 @@ constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
StringRef::from_lit("verify-client-tolerate-expired"); StringRef::from_lit("verify-client-tolerate-expired");
constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR =
StringRef::from_lit("ignore-per-pattern-mruby-error"); StringRef::from_lit("ignore-per-pattern-mruby-error");
constexpr auto SHRPX_OPT_TLS_POSTPONE_EARLY_DATA = constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
StringRef::from_lit("tls-postpone-early-data"); StringRef::from_lit("tls-no-postpone-early-data");
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
StringRef::from_lit("tls-max-early-data"); StringRef::from_lit("tls-max-early-data");
@ -662,9 +662,9 @@ struct TLSConfig {
int max_proto_version; int max_proto_version;
bool insecure; bool insecure;
bool no_http2_cipher_black_list; bool no_http2_cipher_black_list;
// true if forwarding requests included in TLS early data should be // true if forwarding requests included in TLS early data should not
// postponed until TLS handshake finishes. // be postponed until TLS handshake finishes.
bool postpone_early_data; bool no_postpone_early_data;
}; };
// custom error page // custom error page
@ -1126,7 +1126,7 @@ enum {
SHRPX_OPTID_TLS_MAX_EARLY_DATA, SHRPX_OPTID_TLS_MAX_EARLY_DATA,
SHRPX_OPTID_TLS_MAX_PROTO_VERSION, SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
SHRPX_OPTID_TLS_MIN_PROTO_VERSION, SHRPX_OPTID_TLS_MIN_PROTO_VERSION,
SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA, SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA,
SHRPX_OPTID_TLS_PROTO_LIST, SHRPX_OPTID_TLS_PROTO_LIST,
SHRPX_OPTID_TLS_SCT_DIR, SHRPX_OPTID_TLS_SCT_DIR,
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,

4
src/shrpx_connection.cc
View File

@ -408,7 +408,7 @@ int Connection::tls_handshake() {
// server waits for EndOfEarlyData and Finished message from // server waits for EndOfEarlyData and Finished message from
// client, which voids the purpose of 0-RTT data. The left // client, which voids the purpose of 0-RTT data. The left
// over of handshake is done through write_tls or read_tls. // over of handshake is done through write_tls or read_tls.
if (!tlsconf.postpone_early_data && if (tlsconf.no_postpone_early_data &&
(tls.handshake_state == TLS_CONN_WRITE_STARTED || (tls.handshake_state == TLS_CONN_WRITE_STARTED ||
tls.wbuf.rleft()) && tls.wbuf.rleft()) &&
tls.earlybuf.rleft()) { tls.earlybuf.rleft()) {
@ -431,7 +431,7 @@ int Connection::tls_handshake() {
} }
tls.early_data_finish = true; tls.early_data_finish = true;
// The same reason stated above. // The same reason stated above.
if (!tlsconf.postpone_early_data && if (tlsconf.no_postpone_early_data &&
(tls.handshake_state == TLS_CONN_WRITE_STARTED || (tls.handshake_state == TLS_CONN_WRITE_STARTED ||
tls.wbuf.rleft()) && tls.wbuf.rleft()) &&
tls.earlybuf.rleft()) { tls.earlybuf.rleft()) {