nghttpx: Should postpone early data by default

This commit is contained in:
Tatsuhiro Tsujikawa 2018-09-08 19:22:30 +09:00
parent b8eccec62d
commit 9b03c64f68
5 changed files with 26 additions and 25 deletions

View File

@ -170,7 +170,7 @@ OPTIONS = [
"no-verify-ocsp",
"verify-client-tolerate-expired",
"ignore-per-pattern-mruby-error",
"tls-postpone-early-data",
"tls-no-postpone-early-data",
"tls-max-early-data",
]

View File

@ -2371,12 +2371,13 @@ SSL/TLS:
HTTP/2. To use those cipher suites with HTTP/2,
consider to use --client-no-http2-cipher-black-list
option. But be aware its implications.
--tls-postpone-early-data
Postpone forwarding HTTP requests sent in early data,
including those sent in partially in it, until TLS
handshake finishes. This option must be used to
mitigate possible replay attack unless all backend
servers recognize "Early-Data" header field.
--tls-no-postpone-early-data
By default, nghttpx postpones forwarding HTTP requests
sent in early data, including those sent in partially in
it, until TLS handshake finishes. If all backend server
recognizes "Early-Data" header field, using this option
makes nghttpx not postpone forwarding request and get
full potential of 0-RTT data.
--tls-max-early-data=<SIZE>
Sets the maximum amount of 0-RTT data that server
accepts.
@ -3448,7 +3449,7 @@ int main(int argc, char **argv) {
160},
{SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR.c_str(), no_argument, &flag,
161},
{SHRPX_OPT_TLS_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
{SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
{nullptr, 0, nullptr, 0}};
@ -4222,8 +4223,8 @@ int main(int argc, char **argv) {
StringRef::from_lit("yes"));
break;
case 162:
// --tls-postpone-early-data
cmdcfgs.emplace_back(SHRPX_OPT_TLS_POSTPONE_EARLY_DATA,
// --tls-no-postpone-early-data
cmdcfgs.emplace_back(SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA,
StringRef::from_lit("yes"));
break;
case 163:

View File

@ -2045,11 +2045,6 @@ int option_lookup_token(const char *name, size_t namelen) {
break;
case 23:
switch (name[22]) {
case 'a':
if (util::strieq_l("tls-postpone-early-dat", name, 22)) {
return SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA;
}
break;
case 'e':
if (util::strieq_l("client-private-key-fil", name, 22)) {
return SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE;
@ -2124,6 +2119,11 @@ int option_lookup_token(const char *name, size_t namelen) {
break;
case 26:
switch (name[25]) {
case 'a':
if (util::strieq_l("tls-no-postpone-early-dat", name, 25)) {
return SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA;
}
break;
case 'e':
if (util::strieq_l("frontend-http2-window-siz", name, 25)) {
return SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE;
@ -3601,8 +3601,8 @@ int parse_config(Config *config, int optid, const StringRef &opt,
config->ignore_per_pattern_mruby_error = util::strieq_l("yes", optarg);
return 0;
case SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA:
config->tls.postpone_early_data = util::strieq_l("yes", optarg);
case SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA:
config->tls.no_postpone_early_data = util::strieq_l("yes", optarg);
return 0;
case SHRPX_OPTID_TLS_MAX_EARLY_DATA: {

View File

@ -347,8 +347,8 @@ constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
StringRef::from_lit("verify-client-tolerate-expired");
constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR =
StringRef::from_lit("ignore-per-pattern-mruby-error");
constexpr auto SHRPX_OPT_TLS_POSTPONE_EARLY_DATA =
StringRef::from_lit("tls-postpone-early-data");
constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
StringRef::from_lit("tls-no-postpone-early-data");
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
StringRef::from_lit("tls-max-early-data");
@ -662,9 +662,9 @@ struct TLSConfig {
int max_proto_version;
bool insecure;
bool no_http2_cipher_black_list;
// true if forwarding requests included in TLS early data should be
// postponed until TLS handshake finishes.
bool postpone_early_data;
// true if forwarding requests included in TLS early data should not
// be postponed until TLS handshake finishes.
bool no_postpone_early_data;
};
// custom error page
@ -1126,7 +1126,7 @@ enum {
SHRPX_OPTID_TLS_MAX_EARLY_DATA,
SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
SHRPX_OPTID_TLS_MIN_PROTO_VERSION,
SHRPX_OPTID_TLS_POSTPONE_EARLY_DATA,
SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA,
SHRPX_OPTID_TLS_PROTO_LIST,
SHRPX_OPTID_TLS_SCT_DIR,
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,

View File

@ -408,7 +408,7 @@ int Connection::tls_handshake() {
// server waits for EndOfEarlyData and Finished message from
// client, which voids the purpose of 0-RTT data. The left
// over of handshake is done through write_tls or read_tls.
if (!tlsconf.postpone_early_data &&
if (tlsconf.no_postpone_early_data &&
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
tls.wbuf.rleft()) &&
tls.earlybuf.rleft()) {
@ -431,7 +431,7 @@ int Connection::tls_handshake() {
}
tls.early_data_finish = true;
// The same reason stated above.
if (!tlsconf.postpone_early_data &&
if (tlsconf.no_postpone_early_data &&
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
tls.wbuf.rleft()) &&
tls.earlybuf.rleft()) {