Tatsuhiro Tsujikawa
a3334bb21c
nghttpd: Use cipher suites recommended by Mozilla
2014-06-28 15:28:19 +09:00
Tatsuhiro Tsujikawa
479e15469c
nghttpx: Add worker-frontend-connections option
2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa
2bfa772472
nghttpx: Update cipher suite list
2014-06-19 23:26:30 +09:00
Tatsuhiro Tsujikawa
87360b4f7d
nghttpx: Require TLSv.12 for h2
2014-06-18 12:09:30 +09:00
Tatsuhiro Tsujikawa
041cec2d97
nghttpx: Check error from SSL_set_fd
2014-06-12 23:39:58 +09:00
Tatsuhiro Tsujikawa
21c4931197
nghttpx: Get rid of openssl filter
...
Libevent Openssl filter is very inconvenient in various respect. The
most annoying thing is it somehow emits data when SSL_shutdown is
called. The reason we introduced this filter solution is drop
connection if TLS renegotiation is detected. This commit implements
renegotiation detection and drop connection without filtering.
2014-06-11 01:16:49 +09:00
Tatsuhiro Tsujikawa
d6b5824c9c
nghttpx: Don't check TLS requirement in ALPN cb cause cipher obj is nullptr
...
Also don't compare ALPN identifier with streq, since they are just
byte string.
2014-06-10 23:22:52 +09:00
Tatsuhiro Tsujikawa
c204861dec
nghttpx: Create NPN prefs only once
2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa
7b0ed5d9bd
nghttpx: Only allow DHE, ECDHE + AEAD ciphers for HTTP/2
...
Cipher suites are chosen by DHE and ECDHE ciphers + GCM (AEAD). Now
default cipher list is the one recommended by Mozilla web site. The
--honor-cipher-order option is removed and now it is always assumed.
2014-06-10 22:47:22 +09:00
Tatsuhiro Tsujikawa
0fd5b2aa32
nghttpx: Use std::vector for tls_proto_list and npn_list
...
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
2014-06-08 23:09:44 +09:00
Tatsuhiro Tsujikawa
14b818efc8
nghttpx: Use std::unique_ptr<char[]> instead of char*
2014-06-08 21:02:40 +09:00
Tatsuhiro Tsujikawa
b8ed74c1ec
nghttpx: Disable SSL_CTX_set_ecdh_auto() for now
2014-06-06 23:17:32 +09:00
Tatsuhiro Tsujikawa
896717f5d4
nghttpx: Make --npn-list option work in ALPN
...
Previously --npn-list option is ignored in ALPN protocol selection
callback. This change fixes this issue.
2014-05-21 21:16:44 +09:00
Tatsuhiro Tsujikawa
2ae1da113e
src: Use C++ style comments for C++ source code
2014-05-14 23:22:23 +09:00
Tatsuhiro Tsujikawa
fa8b310cfd
nghttpx: Return SSL_TLSEXT_ERR_OK from servername_callback
2014-04-27 23:17:19 +09:00
Tatsuhiro Tsujikawa
6c66bd5c7c
ALPN: Do not negotiate HTTP/2 unless TLSv1.2 or TLSv1.1 was used
2014-04-26 22:37:48 +09:00
Tatsuhiro Tsujikawa
cd69ed20c3
nghttpx: Select SPDY protocol in ALPN
2014-04-26 19:36:35 +09:00
Tatsuhiro Tsujikawa
ab2dc5967d
Replace HTTP/2.0 with HTTP/2
2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa
a457d2a138
h2load, nghttp: Use SNI field for non-numeric host
2014-03-15 15:32:38 +09:00
Tatsuhiro Tsujikawa
d074cb611f
nghttpx: Add rate limit per worker thread
...
The existing options --{read,write}-{rate,burst} are per connection.
The new options --worker-{read,write}-{rate,burst} are per worker
thread, which is overall rate limit of all connections worker handles.
2014-03-09 14:53:28 +09:00
Tatsuhiro Tsujikawa
d4ea2418d8
nghttpx: Use LibsslGlobalLock
2014-03-04 21:33:43 +09:00
Tatsuhiro Tsujikawa
dfbea797bd
src: Use static_cast instead of reinterpret_cast if possible
2014-01-19 21:18:37 +09:00
Tatsuhiro Tsujikawa
f59a9c5c58
nghttpx: Disable TLS renegotiation properly
...
4ed4efc
does not disable TLS renegotiation at all, if client keeps
rengotiations without sending application data. In this change,
we intercept the raw incoming data from the client and if it is a
renegotiation, drop the connection immediately.
2014-01-19 17:25:18 +09:00
Tatsuhiro Tsujikawa
4ed4efc241
nghttpx: Disable TLS renegotiation
2014-01-18 19:53:52 +09:00
Tatsuhiro Tsujikawa
8c6f3d1054
nghttpx: Set our own default cipher list
2014-01-13 23:01:22 +09:00
Tatsuhiro Tsujikawa
a15fc5fbb4
nghttpx: Send acceptable list of CAs when client cert auth is enabled
2014-01-09 00:07:51 +09:00
Tatsuhiro Tsujikawa
7ce3065f32
nghttpx: Add --tls-proto-list option to enable SSL/TLS protocol selectively
2014-01-02 13:08:54 +09:00
Tatsuhiro Tsujikawa
20877b1107
nghttpx: Don't allow application protocol not listed in --npn-list option
2014-01-02 00:53:07 +09:00
Tatsuhiro Tsujikawa
78e5149495
src: Support ALPN
...
Requires unreleased OpenSSL >= 1.0.2
2014-01-02 00:15:08 +09:00
Tatsuhiro Tsujikawa
f0d7323902
nghttpx: Use SSL_CTX_set_ecdh_auto for OpenSSL >= 1.0.2
2014-01-01 23:26:00 +09:00
Tatsuhiro Tsujikawa
69967aeef8
nghttpx: Add --client-private-key-file and --client-cert-file options
2013-11-02 23:34:25 +09:00
Tatsuhiro Tsujikawa
5bb7066474
nghttpx: Add --verify-client-cacert option
...
Using --cacert to load certificate for client certificate authentication
is problematic since, --cacert is also used for client mode.
This commit adds --verify-client-cacert option which specify the CA
certficate file used only for client certificate validation.
This change also removes the default certficate load function for
client certificate validation.
2013-11-02 21:41:05 +09:00
Tatsuhiro Tsujikawa
02acfd7d70
nghttpx: Add --verify-client option
...
This option requires client certificate and successful verification.
Use --cacert option to add CA certificates as necessary.
2013-11-02 01:10:18 +09:00
Tatsuhiro Tsujikawa
a0326b3f2b
nghttpx: Handle error from bufferevent_socket_new and event_base_new
2013-09-24 23:17:53 +09:00
Tatsuhiro Tsujikawa
b459e42ee5
shrpx_ssl.cc: Use std::unique_ptr for ssl_locks
2013-09-24 21:31:48 +09:00
Tatsuhiro Tsujikawa
ab39ae849f
nghttpx: Add --npn-list option
2013-09-23 20:55:39 +09:00
Tatsuhiro Tsujikawa
e5e1e9b76e
shrpx_ssl.cc: Another code cleanup
2013-09-23 18:49:39 +09:00
Tatsuhiro Tsujikawa
bd55f9cf2a
shrxp_ssl.cc: Code cleanup
2013-09-23 18:40:17 +09:00
Tatsuhiro Tsujikawa
10f131c9d8
nghttpx: Guard ecdh use with !OPENSSL_NO_EC
2013-09-07 23:37:17 +09:00
Tatsuhiro Tsujikawa
9e703170cd
nghttpx: Enable --honor-cipher-order automatically when --ciphers is used
2013-08-30 23:02:47 +09:00
Tatsuhiro Tsujikawa
aea036c9d4
nghttpx: Support ECDHE and DHE cipher suites
...
Use --dh-param-file option to specify a file including DH parameters
in PEM format.
For example, you can create DH parameters with 1024 bit key using
following command:
$ openssl dhparam -outform PEM -out dhparam.pem 1024
2013-08-30 22:07:42 +09:00
Tatsuhiro Tsujikawa
32bd1425b4
shrpx: SPDY support in upstream connection
2013-07-26 20:12:55 +09:00
Tatsuhiro Tsujikawa
0edce70343
Rebranding nghttp2
2013-07-13 00:43:06 +09:00
moparisthebest
7dfa559bc4
Add --honor-cipher-order option to mitigate BEAST attacks
2013-04-18 14:25:48 -04:00
Tatsuhiro Tsujikawa
dbb0df5c5b
Remove strerror(3) from code which may run in multi-thread
2013-02-25 22:43:44 +09:00
Tatsuhiro Tsujikawa
64fcac48b7
shrpx: Fix bug in building certificate lookup tree
2013-02-16 17:51:38 +09:00
Tatsuhiro Tsujikawa
c8167234fa
shrpx: Fix bug in certificate lookup
2013-02-16 02:33:16 +09:00
Tatsuhiro Tsujikawa
291cbc639b
shrpx: Use patricia trie for cert lookup
2013-02-14 00:28:55 +09:00
Tatsuhiro Tsujikawa
c707125839
shrpx: Explicitly hold server SSL_CTX and client SSL_CTX
2013-02-07 21:13:36 +09:00
Tatsuhiro Tsujikawa
b18af854af
shrpx: Add --subcert option to add additional certificate/private key
...
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
2013-02-06 23:41:28 +09:00