NPN has been superseeded by ALPN. OpenSSL provides a configure
option to disable npn (no-npn) which results in an OpenSSL
installation that defines OPENSSL_NO_NEXTPROTONEG in opensslconf.h
The #ifdef's look safe here (as the next_proto is initialized as
nullptr). Alteratively, macros could be defined for the used npn
methods that return a 0 for next_proto.
Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
If OpenSSL supports TLSv1.3, enable it by default for all applications
under src. BoringSSL can work at the moment although it does not
unlock all the features nghttpx offers. OpenSSL's TLSv1.3 support is
still WIP at the time of writing.
boringssl says:
/* It is an error to clear any bits that have already been set. (We can't try
* to get a second close_notify or send two.) */
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
This commit adds ability to check status of cached file descriptor to
make sure that it can be reused. We inspect last modification time
and number of hard links. If last modification is changed from the
last validation time, or number of hard links gets 0, we don't reuse
file descriptor. We also capped upper limit of the cached file
descriptors. If the limit is reached, we will close file descriptor
which is least recently used, and its usecount is 0.
To make use cache fd more robust manner (e.g. among several
connections), eviction of cached file descriptor now takes place using
timer. The timer is started when there is no handler (no
connections). The timeout value is hard-coded and 2 seconds.
Compile with BoringSSL except for neverbleed and libnghttp2_asio. The
former uses ENGINE and RSA_METHOD, and they are quite different
between OpenSSL and BoringSSL. The latter uses boost::asio, which
calls OpenSSL functions deleted in BoringSSL.
Tatsuhiro Tsujikawa
Bernard Spil