Mercurial > hg > nginx-mail
comparison src/http/modules/ngx_http_ssl_module.c @ 550:24b676623d4f NGINX_0_8_7
nginx 0.8.7
*) Change: minimum supported OpenSSL version is 0.9.7.
*) Change: the "ask" parameter of the "ssl_verify_client" directive was
changed to the "optional" parameter and now it checks a client
certificate if it was offered.
Thanks to Brice Figureau.
*) Feature: the $ssl_client_verify variable.
Thanks to Brice Figureau.
*) Feature: the "ssl_crl" directive.
Thanks to Brice Figureau.
*) Feature: the "proxy" parameter of the "geo" directive.
*) Feature: the "image_filter" directive supports variables for setting
size.
*) Bugfix: the $ssl_client_cert variable usage corrupted memory; the
bug had appeared in 0.7.7.
Thanks to Sergey Zhuravlev.
*) Bugfix: "proxy_pass_header" and "fastcgi_pass_header" directives did
not pass to a client the "X-Accel-Redirect", "X-Accel-Limit-Rate",
"X-Accel-Buffering", and "X-Accel-Charset" lines from backend
response header.
Thanks to Maxim Dounin.
*) Bugfix: in handling "Last-Modified" and "Accept-Ranges" backend
response header lines; the bug had appeared in 0.7.44.
Thanks to Maxim Dounin.
*) Bugfix: the "[alert] zero size buf" error if subrequest returns an
empty response; the bug had appeared in 0.8.5.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Mon, 27 Jul 2009 00:00:00 +0400 |
parents | f39b9e29530d |
children | 005a70f9573b |
comparison
equal
deleted
inserted
replaced
549:41f4e459ace8 | 550:24b676623d4f |
---|---|
28 | 28 |
29 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 29 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
30 void *conf); | 30 void *conf); |
31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | 32 void *conf); |
33 | |
34 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | |
35 | |
36 static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, | |
37 void *conf); | |
38 | |
39 static char ngx_http_ssl_openssl097[] = "OpenSSL 0.9.7 and higher"; | |
40 | |
41 #endif | |
42 | 33 |
43 | 34 |
44 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 35 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
45 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 36 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
46 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 37 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
50 | 41 |
51 | 42 |
52 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | 43 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
53 { ngx_string("off"), 0 }, | 44 { ngx_string("off"), 0 }, |
54 { ngx_string("on"), 1 }, | 45 { ngx_string("on"), 1 }, |
55 { ngx_string("ask"), 2 }, | 46 { ngx_string("optional"), 2 }, |
56 { ngx_null_string, 0 } | 47 { ngx_null_string, 0 } |
57 }; | 48 }; |
58 | 49 |
59 | 50 |
60 static ngx_command_t ngx_http_ssl_commands[] = { | 51 static ngx_command_t ngx_http_ssl_commands[] = { |
122 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | 113 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), |
123 NULL }, | 114 NULL }, |
124 | 115 |
125 { ngx_string("ssl_prefer_server_ciphers"), | 116 { ngx_string("ssl_prefer_server_ciphers"), |
126 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 117 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
127 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | |
128 ngx_conf_set_flag_slot, | 118 ngx_conf_set_flag_slot, |
129 NGX_HTTP_SRV_CONF_OFFSET, | 119 NGX_HTTP_SRV_CONF_OFFSET, |
130 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | 120 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), |
131 NULL }, | 121 NULL }, |
132 #else | |
133 ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, | |
134 #endif | |
135 | 122 |
136 { ngx_string("ssl_session_cache"), | 123 { ngx_string("ssl_session_cache"), |
137 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | 124 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, |
138 ngx_http_ssl_session_cache, | 125 ngx_http_ssl_session_cache, |
139 NGX_HTTP_SRV_CONF_OFFSET, | 126 NGX_HTTP_SRV_CONF_OFFSET, |
143 { ngx_string("ssl_session_timeout"), | 130 { ngx_string("ssl_session_timeout"), |
144 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 131 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
145 ngx_conf_set_sec_slot, | 132 ngx_conf_set_sec_slot, |
146 NGX_HTTP_SRV_CONF_OFFSET, | 133 NGX_HTTP_SRV_CONF_OFFSET, |
147 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | 134 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), |
135 NULL }, | |
136 | |
137 { ngx_string("ssl_crl"), | |
138 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
139 ngx_conf_set_str_slot, | |
140 NGX_HTTP_SRV_CONF_OFFSET, | |
141 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
148 NULL }, | 142 NULL }, |
149 | 143 |
150 ngx_null_command | 144 ngx_null_command |
151 }; | 145 }; |
152 | 146 |
204 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 198 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
205 | 199 |
206 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | 200 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, |
207 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 201 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
208 | 202 |
203 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, | |
204 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
205 | |
209 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 206 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
210 }; | 207 }; |
211 | 208 |
212 | 209 |
213 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); | 210 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
311 * sscf->protocols = 0; | 308 * sscf->protocols = 0; |
312 * sscf->certificate = { 0, NULL }; | 309 * sscf->certificate = { 0, NULL }; |
313 * sscf->certificate_key = { 0, NULL }; | 310 * sscf->certificate_key = { 0, NULL }; |
314 * sscf->dhparam = { 0, NULL }; | 311 * sscf->dhparam = { 0, NULL }; |
315 * sscf->client_certificate = { 0, NULL }; | 312 * sscf->client_certificate = { 0, NULL }; |
313 * sscf->crl = { 0, NULL }; | |
316 * sscf->ciphers.len = 0; | 314 * sscf->ciphers.len = 0; |
317 * sscf->ciphers.data = NULL; | 315 * sscf->ciphers.data = NULL; |
318 * sscf->shm_zone = NULL; | 316 * sscf->shm_zone = NULL; |
319 */ | 317 */ |
320 | 318 |
357 | 355 |
358 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 356 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
359 | 357 |
360 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 358 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
361 ""); | 359 ""); |
360 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | |
362 | 361 |
363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 362 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
364 | 363 |
365 | 364 |
366 conf->ssl.log = cf->log; | 365 conf->ssl.log = cf->log; |
451 conf->verify_depth) | 450 conf->verify_depth) |
452 != NGX_OK) | 451 != NGX_OK) |
453 { | 452 { |
454 return NGX_CONF_ERROR; | 453 return NGX_CONF_ERROR; |
455 } | 454 } |
456 } | 455 |
457 | 456 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
458 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | 457 return NGX_CONF_ERROR; |
458 } | |
459 } | |
459 | 460 |
460 if (conf->prefer_server_ciphers) { | 461 if (conf->prefer_server_ciphers) { |
461 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 462 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
462 } | 463 } |
463 | |
464 #endif | |
465 | 464 |
466 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | 465 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
467 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 466 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
468 return NGX_CONF_ERROR; | 467 return NGX_CONF_ERROR; |
469 } | 468 } |
618 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 617 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
619 "invalid session cache \"%V\"", &value[i]); | 618 "invalid session cache \"%V\"", &value[i]); |
620 | 619 |
621 return NGX_CONF_ERROR; | 620 return NGX_CONF_ERROR; |
622 } | 621 } |
623 | |
624 | |
625 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | |
626 | |
627 static char * | |
628 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
629 { | |
630 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
631 "\"%V\" directive is available only in %s,", | |
632 &cmd->name, cmd->post); | |
633 | |
634 return NGX_CONF_ERROR; | |
635 } | |
636 | |
637 #endif |