Mercurial > hg > nginx-mail
comparison src/http/modules/ngx_http_ssl_module.c @ 390:0b6053502c55 NGINX_0_7_7
nginx 0.7.7
*) Change: now the EAGAIN error returned by connect() is not considered
as temporary error.
*) Change: now the $ssl_client_cert variable value is a certificate
with TAB character intended before each line except first one; an
unchanged certificate is available in the $ssl_client_raw_cert
variable.
*) Feature: the "ask" parameter in the "ssl_verify_client" directive.
*) Feature: byte-range processing improvements.
Thanks to Maxim Dounin.
*) Feature: the "directio" directive.
*) Feature: MacOSX 1.5 sendfile() support.
*) Bugfix: now in MacOSX and Cygwin locations are tested in case
insensitive mode; however, the compare is provided by single-byte
locales only.
*) Bugfix: mail proxy SSL connections hanged, if select, poll, or
/dev/poll methods were used.
*) Bugfix: UTF-8 encoding usage in the ngx_http_autoindex_module.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Wed, 30 Jul 2008 00:00:00 +0400 |
parents | bc21d9cd9c54 |
children | a094317ba307 |
comparison
equal
deleted
inserted
replaced
389:930e48a26dde | 390:0b6053502c55 |
---|---|
11 | 11 |
12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, | 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
13 ngx_pool_t *pool, ngx_str_t *s); | 13 ngx_pool_t *pool, ngx_str_t *s); |
14 | 14 |
15 | 15 |
16 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" | 16 #define NGX_DEFAULT_CERTIFICATE "cert.pem" |
17 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 17 #define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem" |
18 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | 18 #define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" |
19 | 19 |
20 | 20 |
21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
22 ngx_http_variable_value_t *v, uintptr_t data); | 22 ngx_http_variable_value_t *v, uintptr_t data); |
23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
47 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | 47 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
48 { ngx_null_string, 0 } | 48 { ngx_null_string, 0 } |
49 }; | 49 }; |
50 | 50 |
51 | 51 |
52 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | |
53 { ngx_string("off"), 0 }, | |
54 { ngx_string("on"), 1 }, | |
55 { ngx_string("ask"), 2 }, | |
56 { ngx_null_string, 0 } | |
57 }; | |
58 | |
59 | |
52 static ngx_command_t ngx_http_ssl_commands[] = { | 60 static ngx_command_t ngx_http_ssl_commands[] = { |
53 | 61 |
54 { ngx_string("ssl"), | 62 { ngx_string("ssl"), |
55 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 63 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
56 ngx_conf_set_flag_slot, | 64 ngx_conf_set_flag_slot, |
93 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | 101 offsetof(ngx_http_ssl_srv_conf_t, ciphers), |
94 NULL }, | 102 NULL }, |
95 | 103 |
96 { ngx_string("ssl_verify_client"), | 104 { ngx_string("ssl_verify_client"), |
97 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 105 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
98 ngx_conf_set_flag_slot, | 106 ngx_conf_set_enum_slot, |
99 NGX_HTTP_SRV_CONF_OFFSET, | 107 NGX_HTTP_SRV_CONF_OFFSET, |
100 offsetof(ngx_http_ssl_srv_conf_t, verify), | 108 offsetof(ngx_http_ssl_srv_conf_t, verify), |
101 NULL }, | 109 &ngx_http_ssl_verify }, |
102 | 110 |
103 { ngx_string("ssl_verify_depth"), | 111 { ngx_string("ssl_verify_depth"), |
104 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | 112 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
105 ngx_conf_set_num_slot, | 113 ngx_conf_set_num_slot, |
106 NGX_HTTP_SRV_CONF_OFFSET, | 114 NGX_HTTP_SRV_CONF_OFFSET, |
183 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 191 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
184 | 192 |
185 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, | 193 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
186 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 194 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
187 | 195 |
196 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, | |
197 (uintptr_t) ngx_ssl_get_raw_certificate, | |
198 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
199 | |
188 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, | 200 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
189 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 201 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
190 | 202 |
191 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, | 203 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
192 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 204 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
305 * sscf->ciphers.data = NULL; | 317 * sscf->ciphers.data = NULL; |
306 * sscf->shm_zone = NULL; | 318 * sscf->shm_zone = NULL; |
307 */ | 319 */ |
308 | 320 |
309 sscf->enable = NGX_CONF_UNSET; | 321 sscf->enable = NGX_CONF_UNSET; |
322 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | |
310 sscf->verify = NGX_CONF_UNSET; | 323 sscf->verify = NGX_CONF_UNSET; |
311 sscf->verify_depth = NGX_CONF_UNSET; | 324 sscf->verify_depth = NGX_CONF_UNSET; |
312 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | |
313 sscf->builtin_session_cache = NGX_CONF_UNSET; | 325 sscf->builtin_session_cache = NGX_CONF_UNSET; |
314 sscf->session_timeout = NGX_CONF_UNSET; | 326 sscf->session_timeout = NGX_CONF_UNSET; |
315 | 327 |
316 return sscf; | 328 return sscf; |
317 } | 329 } |
339 | 351 |
340 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 352 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
341 (NGX_CONF_BITMASK_SET | 353 (NGX_CONF_BITMASK_SET |
342 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | 354 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); |
343 | 355 |
344 ngx_conf_merge_value(conf->verify, prev->verify, 0); | 356 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
345 ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1); | 357 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
346 | 358 |
347 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 359 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
348 NGX_DEFLAUT_CERTIFICATE); | 360 NGX_DEFAULT_CERTIFICATE); |
349 | 361 |
350 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 362 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
351 NGX_DEFLAUT_CERTIFICATE_KEY); | 363 NGX_DEFAULT_CERTIFICATE_KEY); |
352 | 364 |
353 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 365 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
354 | 366 |
355 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 367 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
356 ""); | 368 ""); |
357 | 369 |
358 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); | 370 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
359 | 371 |
360 | 372 |
361 conf->ssl.log = cf->log; | 373 conf->ssl.log = cf->log; |
362 | 374 |
363 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { | 375 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
400 "SSL_CTX_set_cipher_list(\"%V\") failed", | 412 "SSL_CTX_set_cipher_list(\"%V\") failed", |
401 &conf->ciphers); | 413 &conf->ciphers); |
402 } | 414 } |
403 | 415 |
404 if (conf->verify) { | 416 if (conf->verify) { |
417 | |
418 if (conf->client_certificate.len == 0) { | |
419 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
420 "no ssl_client_certificate for ssl_client_verify"); | |
421 return NGX_CONF_ERROR; | |
422 } | |
423 | |
405 if (ngx_ssl_client_certificate(cf, &conf->ssl, | 424 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
406 &conf->client_certificate, | 425 &conf->client_certificate, |
407 conf->verify_depth) | 426 conf->verify_depth) |
408 != NGX_OK) | 427 != NGX_OK) |
409 { | 428 { |