moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

NPN/ALPN: allow disabling via command line 

when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
This commit is contained in:
Fabian Frank 2014-02-09 23:38:55 -08:00 committed by Daniel Stenberg
parent 70bd9784de
commit 909a68c121
11 changed files with 87 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/curl.1
View File

@ -133,6 +133,18 @@ version. (Added in 7.33.0)
.IP "--http2"
(HTTP) Tells curl to issue its requests using HTTP 2. This requires that the
underlying libcurl was built to support it. (Added in 7.33.0)
.IP "--no-npn"
Disable the NPN TLS extension. NPN is enabled by default if libcurl was built
with an SSL library that supports NPN. NPN is used by a libcurl that supports
HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
(Added in 7.36.0)
.IP "--no-alpn"
Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built
with an SSL library that supports ALPN. ALPN is used by a libcurl that supports
HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
(Added in 7.36.0)
.IP "-1, --tlsv1"
(SSL)
Forces curl to use TLS version 1 when negotiating with a remote TLS server.

2
docs/libcurl/symbols-in-versions
View File

@ -495,6 +495,8 @@ CURLOPT_SSLKEY 7.9.3
CURLOPT_SSLKEYPASSWD 7.9.3 7.17.0
CURLOPT_SSLKEYTYPE 7.9.3
CURLOPT_SSLVERSION 7.1
CURLOPT_SSL_ENABLE_ALPN 7.36.0
CURLOPT_SSL_ENABLE_NPN 7.36.0
CURLOPT_SSL_CIPHER_LIST 7.9
CURLOPT_SSL_CTX_DATA 7.10.6
CURLOPT_SSL_CTX_FUNCTION 7.10.6

6
include/curl/curl.h
View File

@ -1571,6 +1571,12 @@ typedef enum {
/* Set authentication options directly */
CINIT(LOGIN_OPTIONS, OBJECTPOINT, 224),
/* Enable/disable TLS NPN extension (http2 over ssl might fail without) */
CINIT(SSL_ENABLE_NPN, LONG, 225),
/* Enable/disable TLS ALPN extension (http2 over ssl might fail without) */
CINIT(SSL_ENABLE_ALPN, LONG, 226),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;

8
lib/url.c
View File

@ -563,6 +563,8 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
set->tcp_keepintvl = 60;
set->tcp_keepidle = 60;
set->ssl_enable_npn = TRUE;
set->ssl_enable_alpn = TRUE;
return res;
}
@ -2478,6 +2480,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
case CURLOPT_TCP_KEEPINTVL:
data->set.tcp_keepintvl = va_arg(param, long);
break;
case CURLOPT_SSL_ENABLE_NPN:
data->set.ssl_enable_npn = (0 != va_arg(param, long))?TRUE:FALSE;
break;
case CURLOPT_SSL_ENABLE_ALPN:
data->set.ssl_enable_alpn = (0 != va_arg(param, long))?TRUE:FALSE;
break;
default:
/* unknown tag and its companion, just ignore: */

3
lib/urldata.h
View File

@ -1593,6 +1593,9 @@ struct UserDefined {
long tcp_keepintvl; /* seconds between TCP keepalive probes */
size_t maxconnects; /* Max idle connections in the connection cache */
bool ssl_enable_npn; /* TLS NPN extension? */
bool ssl_enable_alpn; /* TLS ALPN extension? */
};
struct Names {

53
lib/vtls/nss.c
View File

@ -616,15 +616,16 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
{
struct connectdata *conn = (struct connectdata*) arg;
#ifndef USE_NGHTTP2
(void)sock;
(void)conn;
#else
#ifdef USE_NGHTTP2
unsigned int buflenmax = 50;
unsigned char buf[50];
unsigned int buflen;
SSLNextProtoState state;
if(!conn->data->set.ssl_enable_npn && !conn->data->set.ssl_enable_alpn) {
return;
}
if(SSL_GetNextProto(sock, &state, buf, &buflen, buflenmax) == SECSuccess) {
switch(state) {
@ -1311,6 +1312,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
#endif
#endif
if(connssl->state == ssl_connection_complete)
return CURLE_OK;
@ -1485,32 +1487,45 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
}
#ifdef USE_NGHTTP2
if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
#ifdef SSL_ENABLE_NPN
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_NPN, PR_TRUE) != SECSuccess)
goto error;
if(data->set.ssl_enable_npn) {
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_NPN, PR_TRUE) != SECSuccess)
goto error;
}
#endif
#ifdef SSL_ENABLE_ALPN
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_ALPN, PR_TRUE) != SECSuccess)
goto error;
if(data->set.ssl_enable_alpn) {
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_ALPN, PR_TRUE)
!= SECSuccess)
goto error;
}
#endif
#if defined(SSL_ENABLE_NPN) || defined(SSL_ENABLE_ALPN)
alpn_protos[cur] = NGHTTP2_PROTO_VERSION_ID_LEN;
cur++;
memcpy(&alpn_protos[cur], NGHTTP2_PROTO_VERSION_ID,
NGHTTP2_PROTO_VERSION_ID_LEN);
cur += NGHTTP2_PROTO_VERSION_ID_LEN;
alpn_protos[cur] = ALPN_HTTP_1_1_LENGTH;
cur++;
memcpy(&alpn_protos[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
if(data->set.ssl_enable_npn || data->set.ssl_enable_alpn) {
alpn_protos[cur] = NGHTTP2_PROTO_VERSION_ID_LEN;
cur++;
memcpy(&alpn_protos[cur], NGHTTP2_PROTO_VERSION_ID,
NGHTTP2_PROTO_VERSION_ID_LEN);
cur += NGHTTP2_PROTO_VERSION_ID_LEN;
alpn_protos[cur] = ALPN_HTTP_1_1_LENGTH;
cur++;
memcpy(&alpn_protos[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
if(SSL_SetNextProtoNego(connssl->handle, alpn_protos, alpn_protos_len)
!= SECSuccess)
goto error;
if(SSL_SetNextProtoNego(connssl->handle, alpn_protos, alpn_protos_len)
!= SECSuccess)
goto error;
}
else {
infof(data, "SSL, can't negotiate HTTP/2.0 with neither NPN nor ALPN\n");
}
#endif
}
#endif
/* Force handshake on next I/O */
SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);

2
src/tool_cfgable.h
View File

@ -214,6 +214,8 @@ struct Configurable {
bool test_event_based;
#endif
char *xoauth2_bearer; /* XOAUTH2 bearer token */
bool nonpn; /* enable/disable TLS NPN extension */
bool noalpn; /* enable/disable TLS ALPN extension */
struct Configurable* prev;
struct Configurable* next; /* Always last in the struct */

8
src/tool_getparam.c
View File

@ -90,7 +90,9 @@ static const struct LongShort aliases[]= {
#endif
{"*F", "dns-servers", TRUE},
{"*g", "trace", TRUE},
{"*G", "npn", FALSE},
{"*h", "trace-ascii", TRUE},
{"*H", "alpn", FALSE},
{"*i", "limit-rate", TRUE},
{"*j", "compressed", FALSE},
{"*J", "tr-encoding", FALSE},
@ -554,6 +556,9 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
warnf(config, "--trace overrides an earlier trace/verbose option\n");
config->tracetype = TRACE_BIN;
break;
case 'G': /* --npn */
config->nonpn = (!toggle)?TRUE:FALSE;
break;
case 'h': /* --trace-ascii */
GetStr(&config->trace_dump, nextarg);
if(config->tracetype && (config->tracetype != TRACE_ASCII))
@ -561,6 +566,9 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
"--trace-ascii overrides an earlier trace/verbose option\n");
config->tracetype = TRACE_ASCII;
break;
case 'H': /* --alpn */
config->noalpn = (!toggle)?TRUE:FALSE;
break;
case 'i': /* --limit-rate */
{
/* We support G, M, K too */

2
src/tool_help.c
View File

@ -105,6 +105,8 @@ static const char *const helptext[] = {
" -0, --http1.0 Use HTTP 1.0 (H)",
" --http1.1 Use HTTP 1.1 (H)",
" --http2 Use HTTP 2 (H)",
" --no-npn Disable the NPN TLS extension",
" --no-alpn Disable the ALPN TLS extension",
" --ignore-content-length Ignore the HTTP Content-Length header",
" -i, --include Include protocol headers in the output (H/F)",
" -k, --insecure Allow connections to SSL sites without certs (H)",

8
src/tool_operate.c
View File

@ -1350,6 +1350,14 @@ static int operate_do(struct Configurable *config)
if(config->sasl_ir)
my_setopt(curl, CURLOPT_SASL_IR, 1L);
if(config->nonpn) {
my_setopt(curl, CURLOPT_SSL_ENABLE_NPN, 0L);
}
if(config->noalpn) {
my_setopt(curl, CURLOPT_SSL_ENABLE_ALPN, 0L);
}
/* initialize retry vars for loop below */
retry_sleep_default = (config->retry_delay) ?
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */

2
src/tool_setopt.c
View File

@ -145,6 +145,8 @@ const NameValue setopt_nv_CURLPROTO[] = {
static const NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
NV1(CURLOPT_SSL_VERIFYPEER, 1),
NV1(CURLOPT_SSL_VERIFYHOST, 1),
NV1(CURLOPT_SSL_ENABLE_NPN, 1),
NV1(CURLOPT_SSL_ENABLE_ALPN, 1),
NVEND
};