Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.h @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | 51e1f047d15d |
children | 7f955d3b9a0d |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
1136 | 8 #ifndef _NGX_MAIL_SSL_H_INCLUDED_ |
9 #define _NGX_MAIL_SSL_H_INCLUDED_ | |
539 | 10 |
11 | |
12 #include <ngx_config.h> | |
13 #include <ngx_core.h> | |
1136 | 14 #include <ngx_mail.h> |
539 | 15 |
16 | |
1136 | 17 #define NGX_MAIL_STARTTLS_OFF 0 |
18 #define NGX_MAIL_STARTTLS_ON 1 | |
19 #define NGX_MAIL_STARTTLS_ONLY 2 | |
583 | 20 |
21 | |
539 | 22 typedef struct { |
976 | 23 ngx_flag_t enable; |
2224 | 24 ngx_flag_t prefer_server_ciphers; |
976 | 25 |
26 ngx_ssl_t ssl; | |
547 | 27 |
2224 | 28 ngx_uint_t starttls; |
976 | 29 ngx_uint_t protocols; |
547 | 30 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
31 ngx_uint_t verify; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
32 ngx_uint_t verify_depth; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
33 |
976 | 34 ssize_t builtin_session_cache; |
547 | 35 |
976 | 36 time_t session_timeout; |
573 | 37 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
38 ngx_array_t *certificates; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
39 ngx_array_t *certificate_keys; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
40 |
2044 | 41 ngx_str_t dhparam; |
3960 | 42 ngx_str_t ecdh_curve; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
43 ngx_str_t client_certificate; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
44 ngx_str_t trusted_certificate; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
45 ngx_str_t crl; |
539 | 46 |
976 | 47 ngx_str_t ciphers; |
539 | 48 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
49 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
50 |
976 | 51 ngx_shm_zone_t *shm_zone; |
2224 | 52 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
53 ngx_flag_t session_tickets; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4412
diff
changeset
|
54 ngx_array_t *session_ticket_keys; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4412
diff
changeset
|
55 |
2224 | 56 u_char *file; |
57 ngx_uint_t line; | |
1136 | 58 } ngx_mail_ssl_conf_t; |
539 | 59 |
60 | |
1136 | 61 extern ngx_module_t ngx_mail_ssl_module; |
539 | 62 |
63 | |
1136 | 64 #endif /* _NGX_MAIL_SSL_H_INCLUDED_ */ |