拦截策略支持allow_http2的开关；恢复cmakelist漏掉的HTTP2的编译开关。

2019-05-27 14:17:52 +08:00
parent e53f5ebcf2
commit ea1f876eb7
4 changed files with 21 additions and 5 deletions
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -182,6 +182,7 @@ struct ssl_upstream_parts
 	char block_fake_cert;
 	struct ssl_service_status svc_status;
 	enum ssl_stream_action action;
+	int apln_enabled;
 	int keyring_id;
 	struct ssl_chello * client_hello;
 	int is_server_cert_verify_passed;
@@ -892,7 +893,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
 	{
 		SSL_set_tlsext_host_name(ssl, chello->sni);
 	}
-	if (chello->alpn && !mgr->no_alpn)
+	if (chello->alpn && s_stream->up_parts.apln_enabled)
 	{
 		ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
 		assert(ret==0);
@@ -1603,7 +1604,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
 		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
 		EC_KEY_free(ecdh);
 	}
-	if(!mgr->no_alpn && selected_alpn)
+	if(s_stream->peer->up_parts.apln_enabled && selected_alpn)
 	{
 		SSL_CTX_set_alpn_select_cb(sslctx, alpn_select_proto_cb, (void*)selected_alpn);
 	}
@@ -1992,7 +1993,7 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
 int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT  opt_type, int opt_val)
 {
 	struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
-
+	assert(upstream->dir==CONN_DIR_UPSTREAM);
 	switch(opt_type)
 	{
 		case	SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED:
@@ -2016,6 +2017,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 		case	SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
 			upstream->ssl_max_version=opt_val;
 			break;
+		case	SSL_STREAM_OPT_ENABLE_ALPN:
+			upstream->up_parts.apln_enabled=opt_val;
+			break;
 		case	SSL_STREAM_OPT_KEYRING_ID:
 			upstream->up_parts.keyring_id=opt_val;
 			break;