Changeset a900948 in mod_gnutls


Ignore:
Timestamp:
Jan 3, 2019, 9:40:17 AM (3 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
b6c7866
Parents:
4d38cbd
Message:

Support multiple ALPN proposals for proxy TLS connections

The note from the proxy module is split at " " or "," like in mod_ssl.

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r4d38cbd ra900948  
    2525  directives for overlapping virtual hosts. Thanks to Vincent Tamet
    2626  for the bug report!
     27- ALPN is now supported for proxy connections, making HTTP/2 proxy
     28  connections using mod_proxy_http2 possible.
    2729- GnuTLSPriorities is optional now and defaults to "NORMAL" if
    2830  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
  • src/gnutls_proxy.c

    r4d38cbd ra900948  
    319319
    320320
     321/** Initial size for the APR array storing ALPN protocol
     322 * names. Currently only mod_proxy_http2 uses ALPN for proxy
     323 * connections and proposes "h2" exclusively. This provides enough
     324 * room without additional allocation even if an HTTP/1.1 fallback
     325 * should be added while still being small. */
     326#define INIT_ALPN_ARR_SIZE 2
     327
     328/**
     329 * Set ALPN proposals for a proxy handshake based on the note from the
     330 * proxy module (see `PROXY_SNI_NOTE`). The note is expected to
     331 * contain a string, multiple protocol names can be separated by ","
     332 * or " ", or a combination of them.
     333 *
     334 * @param ctxt the mod_gnutls connection handle
     335 */
    321336static void proxy_conn_set_alpn(mgs_handle_t *ctxt)
    322337{
     
    325340    if (proxy_alpn == NULL)
    326341        return;
    327 
    328     // TODO: mod_ssl ssl_engine_io.c does some tokenization of
    329     // the input string, so it looks like the API allows
    330     // multiple protocols.
    331     gnutls_datum_t alpn_proto = {
    332         .data = (unsigned char *) apr_pstrdup(ctxt->c->pool, proxy_alpn),
    333         .size = strlen(proxy_alpn)
    334     };
    335     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
    336                   "%s: proxy module requests ALPN proto '%s', "
     342    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
     343                  "%s: proxy module ALPN note is '%s', "
    337344                  "length %" APR_SIZE_T_FMT ".",
    338345                  __func__, proxy_alpn, strlen(proxy_alpn));
     346
     347    apr_array_header_t* protocols =
     348        apr_array_make(ctxt->c->pool, INIT_ALPN_ARR_SIZE,
     349                       sizeof(const char *));
     350
     351    /* mod_ssl tokenizes the note by "," or " " to allow multiple
     352     * protocols. We need to copy the note because apr_strtok()
     353     * modifies the string to make each token NULL terminated. On the
     354     * plus side that means we do not need to copy individual
     355     * tokens. */
     356    char *tok = apr_pstrdup(ctxt->c->pool, proxy_alpn);
     357    /* state for apr_strtok, pointer to character following current
     358     * token */
     359    char *last = NULL;
     360    while ((tok = apr_strtok(tok, ", ", &last)))
     361    {
     362        APR_ARRAY_PUSH(protocols, const char *) = tok;
     363        tok = NULL;
     364    }
     365
     366    gnutls_datum_t* alpn_protos =
     367        mgs_str_array_to_datum_array(protocols,
     368                                     ctxt->c->pool,
     369                                     protocols->nelts);
    339370    int ret = gnutls_alpn_set_protocols(ctxt->session,
    340                                         &alpn_proto,
    341                                         1 /* number of proposals */,
     371                                        alpn_protos,
     372                                        protocols->nelts,
    342373                                        0 /* flags */);
    343374    if (ret != GNUTLS_E_SUCCESS)
    344375        ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
    345                       "Could not set ALPN proposal '%s' for proxy "
     376                      "Could not set ALPN proposals for proxy "
    346377                      "connection: %s (%d)",
    347                       proxy_alpn, gnutls_strerror(ret), ret);
     378                      gnutls_strerror(ret), ret);
    348379}
    349380
Note: See TracChangeset for help on using the changeset viewer.