walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity
2,051 Commits 28 Branches 113 Tags 39 MiB
Commit Graph

60 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 479e15469c nghttpx: Add worker-frontend-connections option 2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa 2bfa772472 nghttpx: Update cipher suite list 2014-06-19 23:26:30 +09:00
Tatsuhiro Tsujikawa 87360b4f7d nghttpx: Require TLSv.12 for h2 2014-06-18 12:09:30 +09:00
Tatsuhiro Tsujikawa 041cec2d97 nghttpx: Check error from SSL_set_fd 2014-06-12 23:39:58 +09:00
Tatsuhiro Tsujikawa 21c4931197 nghttpx: Get rid of openssl filter 
Libevent Openssl filter is very inconvenient in various respect.  The
most annoying thing is it somehow emits data when SSL_shutdown is
called.  The reason we introduced this filter solution is drop
connection if TLS renegotiation is detected.  This commit implements
renegotiation detection and drop connection without filtering.
 2014-06-11 01:16:49 +09:00
Tatsuhiro Tsujikawa d6b5824c9c nghttpx: Don't check TLS requirement in ALPN cb cause cipher obj is nullptr 
Also don't compare ALPN identifier with streq, since they are just
byte string.
 2014-06-10 23:22:52 +09:00
Tatsuhiro Tsujikawa c204861dec nghttpx: Create NPN prefs only once 2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa 7b0ed5d9bd nghttpx: Only allow DHE, ECDHE + AEAD ciphers for HTTP/2 
Cipher suites are chosen by DHE and ECDHE ciphers + GCM (AEAD).  Now
default cipher list is the one recommended by Mozilla web site.  The
--honor-cipher-order option is removed and now it is always assumed.
 2014-06-10 22:47:22 +09:00
Tatsuhiro Tsujikawa 0fd5b2aa32 nghttpx: Use std::vector for tls_proto_list and npn_list 
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
 2014-06-08 23:09:44 +09:00
Tatsuhiro Tsujikawa 14b818efc8 nghttpx: Use std::unique_ptr<char[]> instead of char* 2014-06-08 21:02:40 +09:00
Tatsuhiro Tsujikawa b8ed74c1ec nghttpx: Disable SSL_CTX_set_ecdh_auto() for now 2014-06-06 23:17:32 +09:00
Tatsuhiro Tsujikawa 896717f5d4 nghttpx: Make --npn-list option work in ALPN 
Previously --npn-list option is ignored in ALPN protocol selection
callback.  This change fixes this issue.
 2014-05-21 21:16:44 +09:00
Tatsuhiro Tsujikawa 2ae1da113e src: Use C++ style comments for C++ source code 2014-05-14 23:22:23 +09:00
Tatsuhiro Tsujikawa fa8b310cfd nghttpx: Return SSL_TLSEXT_ERR_OK from servername_callback 2014-04-27 23:17:19 +09:00
Tatsuhiro Tsujikawa 6c66bd5c7c ALPN: Do not negotiate HTTP/2 unless TLSv1.2 or TLSv1.1 was used 2014-04-26 22:37:48 +09:00
Tatsuhiro Tsujikawa cd69ed20c3 nghttpx: Select SPDY protocol in ALPN 2014-04-26 19:36:35 +09:00
Tatsuhiro Tsujikawa ab2dc5967d Replace HTTP/2.0 with HTTP/2 2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa a457d2a138 h2load, nghttp: Use SNI field for non-numeric host 2014-03-15 15:32:38 +09:00
Tatsuhiro Tsujikawa d074cb611f nghttpx: Add rate limit per worker thread 
The existing options --{read,write}-{rate,burst} are per connection.
The new options --worker-{read,write}-{rate,burst} are per worker
thread, which is overall rate limit of all connections worker handles.
 2014-03-09 14:53:28 +09:00
Tatsuhiro Tsujikawa d4ea2418d8 nghttpx: Use LibsslGlobalLock 2014-03-04 21:33:43 +09:00
Tatsuhiro Tsujikawa dfbea797bd src: Use static_cast instead of reinterpret_cast if possible 2014-01-19 21:18:37 +09:00
Tatsuhiro Tsujikawa f59a9c5c58 nghttpx: Disable TLS renegotiation properly 
4ed4efc does not disable TLS renegotiation at all, if client keeps
rengotiations without sending application data. In this change,
we intercept the raw incoming data from the client and if it is a
renegotiation, drop the connection immediately.
 2014-01-19 17:25:18 +09:00
Tatsuhiro Tsujikawa 4ed4efc241 nghttpx: Disable TLS renegotiation 2014-01-18 19:53:52 +09:00
Tatsuhiro Tsujikawa 8c6f3d1054 nghttpx: Set our own default cipher list 2014-01-13 23:01:22 +09:00
Tatsuhiro Tsujikawa a15fc5fbb4 nghttpx: Send acceptable list of CAs when client cert auth is enabled 2014-01-09 00:07:51 +09:00
Tatsuhiro Tsujikawa 7ce3065f32 nghttpx: Add --tls-proto-list option to enable SSL/TLS protocol selectively 2014-01-02 13:08:54 +09:00
Tatsuhiro Tsujikawa 20877b1107 nghttpx: Don't allow application protocol not listed in --npn-list option 2014-01-02 00:53:07 +09:00
Tatsuhiro Tsujikawa 78e5149495 src: Support ALPN 
Requires unreleased OpenSSL >= 1.0.2
 2014-01-02 00:15:08 +09:00
Tatsuhiro Tsujikawa f0d7323902 nghttpx: Use SSL_CTX_set_ecdh_auto for OpenSSL >= 1.0.2 2014-01-01 23:26:00 +09:00
Tatsuhiro Tsujikawa 69967aeef8 nghttpx: Add --client-private-key-file and --client-cert-file options 2013-11-02 23:34:25 +09:00
Tatsuhiro Tsujikawa 5bb7066474 nghttpx: Add --verify-client-cacert option 
Using --cacert to load certificate for client certificate authentication
is problematic since, --cacert is also used for client mode.
This commit adds --verify-client-cacert option which specify the CA
certficate file used only for client certificate validation.
This change also removes the default certficate load function for
client certificate validation.
 2013-11-02 21:41:05 +09:00
Tatsuhiro Tsujikawa 02acfd7d70 nghttpx: Add --verify-client option 
This option requires client certificate and successful verification.
Use --cacert option to add CA certificates as necessary.
 2013-11-02 01:10:18 +09:00
Tatsuhiro Tsujikawa a0326b3f2b nghttpx: Handle error from bufferevent_socket_new and event_base_new 2013-09-24 23:17:53 +09:00
Tatsuhiro Tsujikawa b459e42ee5 shrpx_ssl.cc: Use std::unique_ptr for ssl_locks 2013-09-24 21:31:48 +09:00
Tatsuhiro Tsujikawa ab39ae849f nghttpx: Add --npn-list option 2013-09-23 20:55:39 +09:00
Tatsuhiro Tsujikawa e5e1e9b76e shrpx_ssl.cc: Another code cleanup 2013-09-23 18:49:39 +09:00
Tatsuhiro Tsujikawa bd55f9cf2a shrxp_ssl.cc: Code cleanup 2013-09-23 18:40:17 +09:00
Tatsuhiro Tsujikawa 10f131c9d8 nghttpx: Guard ecdh use with !OPENSSL_NO_EC 2013-09-07 23:37:17 +09:00
Tatsuhiro Tsujikawa 9e703170cd nghttpx: Enable --honor-cipher-order automatically when --ciphers is used 2013-08-30 23:02:47 +09:00
Tatsuhiro Tsujikawa aea036c9d4 nghttpx: Support ECDHE and DHE cipher suites 
Use --dh-param-file option to specify a file including DH parameters
in PEM format.

For example, you can create DH parameters with 1024 bit key using
following command:

$ openssl dhparam -outform PEM -out dhparam.pem 1024
 2013-08-30 22:07:42 +09:00
Tatsuhiro Tsujikawa 32bd1425b4 shrpx: SPDY support in upstream connection 2013-07-26 20:12:55 +09:00
Tatsuhiro Tsujikawa 0edce70343 Rebranding nghttp2 2013-07-13 00:43:06 +09:00
moparisthebest 7dfa559bc4 Add --honor-cipher-order option to mitigate BEAST attacks 2013-04-18 14:25:48 -04:00
Tatsuhiro Tsujikawa dbb0df5c5b Remove strerror(3) from code which may run in multi-thread 2013-02-25 22:43:44 +09:00
Tatsuhiro Tsujikawa 64fcac48b7 shrpx: Fix bug in building certificate lookup tree 2013-02-16 17:51:38 +09:00
Tatsuhiro Tsujikawa c8167234fa shrpx: Fix bug in certificate lookup 2013-02-16 02:33:16 +09:00
Tatsuhiro Tsujikawa 291cbc639b shrpx: Use patricia trie for cert lookup 2013-02-14 00:28:55 +09:00
Tatsuhiro Tsujikawa c707125839 shrpx: Explicitly hold server SSL_CTX and client SSL_CTX 2013-02-07 21:13:36 +09:00
Tatsuhiro Tsujikawa b18af854af shrpx: Add --subcert option to add additional certificate/private key 
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
 2013-02-06 23:41:28 +09:00
Tatsuhiro Tsujikawa 65e965791f shrpx: Replace strncpy + putting null with memcpy in ssl_pem_passwd_cb 2012-12-07 23:42:58 +09:00