httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r1670397 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c mod_ssl.h ssl_engine_config.c ssl_engine_io.c ssl_private.h
Date Sun, 05 Apr 2015 13:30:47 GMT
On 31.03.2015 19:12, jim@apache.org wrote:
> Author: jim
> Date: Tue Mar 31 17:12:51 2015
> New Revision: 1670397
> 
> URL: http://svn.apache.org/r1670397
> Log:
> ALPN support, based on mod_spdy/mod_h2 patch set
> 
> Modified:
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/mod_ssl.h
>     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h
> 
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1670397&r1=1670396&r2=1670397&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Mar 31 17:12:51 2015
> @@ -283,6 +283,12 @@ static const command_rec ssl_config_cmds
>                  "OpenSSL configuration command")
>  #endif
>  
> +#if defined(HAVE_TLS_ALPN) || defined(HAVE_TLS_NPN)
> +    SSL_CMD_SRV(AlpnPreference, ITERATE,
> +                "Preference in Application-Layer Protocol Negotiation (ALPN), "
> +                "protocols are chosed in the specified order")
> +#endif
> +    

s/chosed/chosen/ - and please add docs for this to mod_ssl.xml, too.


> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1670397&r1=1670396&r2=1670397&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Mar 31 17:12:51 2015
> @@ -181,6 +181,16 @@
>  #define HAVE_TLS_NPN
>  #endif
>  
> +/* ALPN Protocol Negotiation */
> +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)
> +#define HAVE_TLS_ALPN
> +#endif
> +
> +/* Next Protocol Negotiation */
> +#if !defined(OPENSSL_NO_NEXTPROTONEG) && !defined(OPENSSL_NO_TLSEXT) &&
defined(OPENSSL_NPN_NEGOTIATED)
> +#define HAVE_TLS_NPN
> +#endif
> +

Instead of hardcoding OpenSSL version numbers, we should rely on
feature-based detection - in this case, we can use

  #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)

(see
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b0d6f3c58fc86756574b410cb6a32589477d3954,
the ALPN backport to 1.0.2)

Also, the two "&& !defined(OPENSSL_NO_TLSEXT)" can be dropped, since
we're already in a larger "#if !defined(OPENSSL_NO_TLSEXT) ..." block.


And with regard to:

On 01.04.2015 22:33, Jim Jagielski wrote:
> Yeah, I agree. Right now, trunk pretty much uses
> 
> 	#ifdef HAVE_TLS_ALPN
> 	blah blah
> 	#endif
> 	#ifdef HAVE_TLS_NPN
> 	blah2 blah2
> 	#endif
> 
> Instead of
> 
> 	#if defined(HAVE_TLS_NPN) || defined(HAVE_TLS_ALPN)
> 
> so that "ripping out" NPN would be easier. The question is
> which to use for 2.4...

My vote is clearly for only having ALPN in 2.4 - implementations of
draft protocol versions shouldn't creep into stable httpd
releases, in particular when they have been superseded by a
standards-track RFC meanwhile (RFC 7301 was published in July 2014, and
even Google has announced its plans to drop NPN early next year,
http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html).

Kaspar

Mime
View raw message