Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_ssl_module.c @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | 08dc60979133 |
children | 29c6d66b83ba |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
25 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
26 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
27 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
28 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
29 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
30 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 31 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
32 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
33 void *child); | |
34 | |
35 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
36 void *conf); | |
37 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
38 void *conf); | |
6693 | 39 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 40 |
41 | |
42 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
48 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
6115 | 49 { ngx_null_string, 0 } |
50 }; | |
51 | |
52 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
53 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
54 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
55 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
56 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
57 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
58 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
59 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
60 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
61 |
6115 | 62 static ngx_command_t ngx_stream_ssl_commands[] = { |
63 | |
64 { ngx_string("ssl_handshake_timeout"), | |
65 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
66 ngx_conf_set_msec_slot, | |
67 NGX_STREAM_SRV_CONF_OFFSET, | |
68 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
69 NULL }, | |
70 | |
71 { ngx_string("ssl_certificate"), | |
72 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
73 ngx_conf_set_str_array_slot, |
6115 | 74 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
75 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 76 NULL }, |
77 | |
78 { ngx_string("ssl_certificate_key"), | |
79 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
80 ngx_conf_set_str_array_slot, |
6115 | 81 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
82 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 83 NULL }, |
84 | |
85 { ngx_string("ssl_password_file"), | |
86 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
87 ngx_stream_ssl_password_file, | |
88 NGX_STREAM_SRV_CONF_OFFSET, | |
89 0, | |
90 NULL }, | |
91 | |
92 { ngx_string("ssl_dhparam"), | |
93 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
94 ngx_conf_set_str_slot, | |
95 NGX_STREAM_SRV_CONF_OFFSET, | |
96 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
97 NULL }, | |
98 | |
99 { ngx_string("ssl_ecdh_curve"), | |
100 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
101 ngx_conf_set_str_slot, | |
102 NGX_STREAM_SRV_CONF_OFFSET, | |
103 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
104 NULL }, | |
105 | |
106 { ngx_string("ssl_protocols"), | |
107 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
108 ngx_conf_set_bitmask_slot, | |
109 NGX_STREAM_SRV_CONF_OFFSET, | |
110 offsetof(ngx_stream_ssl_conf_t, protocols), | |
111 &ngx_stream_ssl_protocols }, | |
112 | |
113 { ngx_string("ssl_ciphers"), | |
114 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
115 ngx_conf_set_str_slot, | |
116 NGX_STREAM_SRV_CONF_OFFSET, | |
117 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
118 NULL }, | |
119 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
120 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
121 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
122 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
123 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
124 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
125 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
126 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
127 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
128 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
129 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
130 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
131 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
132 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
133 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
134 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
135 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
136 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 |
6115 | 148 { ngx_string("ssl_prefer_server_ciphers"), |
149 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
150 ngx_conf_set_flag_slot, | |
151 NGX_STREAM_SRV_CONF_OFFSET, | |
152 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
153 NULL }, | |
154 | |
155 { ngx_string("ssl_session_cache"), | |
156 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
157 ngx_stream_ssl_session_cache, | |
158 NGX_STREAM_SRV_CONF_OFFSET, | |
159 0, | |
160 NULL }, | |
161 | |
162 { ngx_string("ssl_session_tickets"), | |
163 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
164 ngx_conf_set_flag_slot, | |
165 NGX_STREAM_SRV_CONF_OFFSET, | |
166 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
167 NULL }, | |
168 | |
169 { ngx_string("ssl_session_ticket_key"), | |
170 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
171 ngx_conf_set_str_array_slot, | |
172 NGX_STREAM_SRV_CONF_OFFSET, | |
173 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
174 NULL }, | |
175 | |
176 { ngx_string("ssl_session_timeout"), | |
177 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
178 ngx_conf_set_sec_slot, | |
179 NGX_STREAM_SRV_CONF_OFFSET, | |
180 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
181 NULL }, | |
182 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
183 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
184 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
185 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
186 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
187 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
188 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
189 |
6115 | 190 ngx_null_command |
191 }; | |
192 | |
193 | |
194 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
195 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 196 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
197 |
6115 | 198 NULL, /* create main configuration */ |
199 NULL, /* init main configuration */ | |
200 | |
201 ngx_stream_ssl_create_conf, /* create server configuration */ | |
202 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
203 }; | |
204 | |
205 | |
206 ngx_module_t ngx_stream_ssl_module = { | |
207 NGX_MODULE_V1, | |
208 &ngx_stream_ssl_module_ctx, /* module context */ | |
209 ngx_stream_ssl_commands, /* module directives */ | |
210 NGX_STREAM_MODULE, /* module type */ | |
211 NULL, /* init master */ | |
212 NULL, /* init module */ | |
213 NULL, /* init process */ | |
214 NULL, /* init thread */ | |
215 NULL, /* exit thread */ | |
216 NULL, /* exit process */ | |
217 NULL, /* exit master */ | |
218 NGX_MODULE_V1_PADDING | |
219 }; | |
220 | |
221 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
222 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
223 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
224 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
225 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
226 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
227 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
228 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
229 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
230 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
231 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
232 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
233 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
234 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
235 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
236 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
237 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
238 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
239 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
240 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
241 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
242 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
243 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
244 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
245 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
246 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
247 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
248 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
249 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
250 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
251 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
252 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
253 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
254 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
255 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
256 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
257 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
258 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
259 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
260 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
261 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
262 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
263 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
264 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
265 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
266 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
267 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
268 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
275 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
276 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
277 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
278 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
279 |
6115 | 280 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
281 | |
282 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
283 static ngx_int_t |
6693 | 284 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
285 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
286 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
287 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
288 ngx_int_t rv; |
6693 | 289 ngx_connection_t *c; |
290 ngx_stream_ssl_conf_t *sslcf; | |
291 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
292 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
293 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
294 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
295 |
6693 | 296 c = s->connection; |
297 | |
298 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
299 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
300 if (c->ssl == NULL) { |
6693 | 301 c->log->action = "SSL handshaking"; |
302 | |
303 if (sslcf->ssl.ctx == NULL) { | |
304 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
305 "no \"ssl_certificate\" is defined " | |
306 "in server listening on SSL port"); | |
307 return NGX_ERROR; | |
308 } | |
309 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
310 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
311 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
312 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
313 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
314 } |
6693 | 315 } |
316 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
317 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
318 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
319 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
320 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
322 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
324 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
325 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
326 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
327 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
328 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
329 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
330 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
331 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
333 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
334 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
336 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
337 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
345 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
346 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
347 |
6693 | 348 return NGX_OK; |
349 } | |
350 | |
351 | |
352 static ngx_int_t | |
353 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
354 { | |
355 ngx_int_t rc; | |
356 ngx_stream_session_t *s; | |
357 ngx_stream_ssl_conf_t *sslcf; | |
358 | |
359 s = c->data; | |
360 | |
361 if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) { | |
362 return NGX_ERROR; | |
363 } | |
364 | |
365 rc = ngx_ssl_handshake(c); | |
366 | |
367 if (rc == NGX_ERROR) { | |
368 return NGX_ERROR; | |
369 } | |
370 | |
371 if (rc == NGX_AGAIN) { | |
372 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
373 | |
374 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
375 | |
376 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
377 | |
378 return NGX_AGAIN; | |
379 } | |
380 | |
381 /* rc == NGX_OK */ | |
382 | |
383 return NGX_OK; | |
384 } | |
385 | |
386 | |
387 static void | |
388 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
389 { | |
390 ngx_stream_session_t *s; | |
391 | |
392 s = c->data; | |
393 | |
394 if (!c->ssl->handshaked) { | |
395 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
396 return; | |
397 } | |
398 | |
399 if (c->read->timer_set) { | |
400 ngx_del_timer(c->read); | |
401 } | |
402 | |
403 ngx_stream_core_run_phases(s); | |
404 } | |
405 | |
406 | |
407 static ngx_int_t | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
408 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
409 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
410 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
411 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
412 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
413 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
414 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
415 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
416 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
417 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
418 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
419 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
420 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
421 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
422 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
423 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
424 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
425 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
426 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
427 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
428 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
429 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
430 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
431 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
432 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
433 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
434 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
435 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
436 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
437 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
438 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
439 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
440 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
441 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
442 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
443 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
444 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
445 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
446 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
447 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
448 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
449 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
450 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
451 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
452 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
453 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
454 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
455 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
456 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
457 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
458 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
459 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
460 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
461 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
462 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
463 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
464 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
465 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
466 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
467 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
468 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
469 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
470 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
471 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
472 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
473 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
474 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
475 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
476 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
477 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
478 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
479 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
480 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
481 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
482 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
483 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
484 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
485 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
486 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
487 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
488 |
6115 | 489 static void * |
490 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
491 { | |
492 ngx_stream_ssl_conf_t *scf; | |
493 | |
494 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
495 if (scf == NULL) { | |
496 return NULL; | |
497 } | |
498 | |
499 /* | |
500 * set by ngx_pcalloc(): | |
501 * | |
502 * scf->protocols = 0; | |
503 * scf->dhparam = { 0, NULL }; | |
504 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
505 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
506 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
507 * scf->crl = { 0, NULL }; |
6115 | 508 * scf->ciphers = { 0, NULL }; |
509 * scf->shm_zone = NULL; | |
510 */ | |
511 | |
512 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
513 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
514 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 515 scf->passwords = NGX_CONF_UNSET_PTR; |
516 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
517 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
518 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 519 scf->builtin_session_cache = NGX_CONF_UNSET; |
520 scf->session_timeout = NGX_CONF_UNSET; | |
521 scf->session_tickets = NGX_CONF_UNSET; | |
522 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
523 | |
524 return scf; | |
525 } | |
526 | |
527 | |
528 static char * | |
529 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
530 { | |
531 ngx_stream_ssl_conf_t *prev = parent; | |
532 ngx_stream_ssl_conf_t *conf = child; | |
533 | |
534 ngx_pool_cleanup_t *cln; | |
535 | |
536 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
537 prev->handshake_timeout, 60000); | |
538 | |
539 ngx_conf_merge_value(conf->session_timeout, | |
540 prev->session_timeout, 300); | |
541 | |
542 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
543 prev->prefer_server_ciphers, 0); | |
544 | |
545 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
546 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 547 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
548 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
549 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
550 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
551 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
552 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
553 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
554 NULL); |
6115 | 555 |
556 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
557 | |
558 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
559 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
560 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
561 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
562 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
563 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
564 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
565 |
6115 | 566 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
567 NGX_DEFAULT_ECDH_CURVE); | |
568 | |
569 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
570 | |
571 | |
572 conf->ssl.log = cf->log; | |
573 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
574 if (conf->certificates == NULL) { |
6115 | 575 return NGX_CONF_OK; |
576 } | |
577 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
578 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
579 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
580 { |
6115 | 581 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
582 "no \"ssl_certificate_key\" is defined " | |
583 "for certificate \"%V\"", | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
584 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
585 + conf->certificates->nelts - 1); |
6115 | 586 return NGX_CONF_ERROR; |
587 } | |
588 | |
589 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
590 return NGX_CONF_ERROR; | |
591 } | |
592 | |
593 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
594 if (cln == NULL) { | |
595 return NGX_CONF_ERROR; | |
596 } | |
597 | |
598 cln->handler = ngx_ssl_cleanup_ctx; | |
599 cln->data = &conf->ssl; | |
600 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
601 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
602 conf->certificate_keys, conf->passwords) |
6115 | 603 != NGX_OK) |
604 { | |
605 return NGX_CONF_ERROR; | |
606 } | |
607 | |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
608 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
609 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
610 != NGX_OK) |
6115 | 611 { |
612 return NGX_CONF_ERROR; | |
613 } | |
614 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
615 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
616 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
617 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
618 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
619 "no ssl_client_certificate for ssl_client_verify"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
620 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
621 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
622 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
623 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
624 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
625 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
626 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
627 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
628 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
629 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
630 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
631 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
632 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
633 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
634 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
635 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
636 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
637 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
638 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
639 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
640 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
641 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
642 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
643 |
6115 | 644 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
645 return NGX_CONF_ERROR; | |
646 } | |
647 | |
648 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
649 return NGX_CONF_ERROR; | |
650 } | |
651 | |
652 ngx_conf_merge_value(conf->builtin_session_cache, | |
653 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
654 | |
655 if (conf->shm_zone == NULL) { | |
656 conf->shm_zone = prev->shm_zone; | |
657 } | |
658 | |
659 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
660 conf->builtin_session_cache, | |
661 conf->shm_zone, conf->session_timeout) | |
662 != NGX_OK) | |
663 { | |
664 return NGX_CONF_ERROR; | |
665 } | |
666 | |
667 ngx_conf_merge_value(conf->session_tickets, | |
668 prev->session_tickets, 1); | |
669 | |
670 #ifdef SSL_OP_NO_TICKET | |
671 if (!conf->session_tickets) { | |
672 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
673 } | |
674 #endif | |
675 | |
676 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
677 prev->session_ticket_keys, NULL); | |
678 | |
679 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
680 != NGX_OK) | |
681 { | |
682 return NGX_CONF_ERROR; | |
683 } | |
684 | |
685 return NGX_CONF_OK; | |
686 } | |
687 | |
688 | |
689 static char * | |
690 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
691 { | |
692 ngx_stream_ssl_conf_t *scf = conf; | |
693 | |
694 ngx_str_t *value; | |
695 | |
696 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
697 return "is duplicate"; | |
698 } | |
699 | |
700 value = cf->args->elts; | |
701 | |
702 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
703 | |
704 if (scf->passwords == NULL) { | |
705 return NGX_CONF_ERROR; | |
706 } | |
707 | |
708 return NGX_CONF_OK; | |
709 } | |
710 | |
711 | |
712 static char * | |
713 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
714 { | |
715 ngx_stream_ssl_conf_t *scf = conf; | |
716 | |
717 size_t len; | |
718 ngx_str_t *value, name, size; | |
719 ngx_int_t n; | |
720 ngx_uint_t i, j; | |
721 | |
722 value = cf->args->elts; | |
723 | |
724 for (i = 1; i < cf->args->nelts; i++) { | |
725 | |
726 if (ngx_strcmp(value[i].data, "off") == 0) { | |
727 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
728 continue; | |
729 } | |
730 | |
731 if (ngx_strcmp(value[i].data, "none") == 0) { | |
732 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
733 continue; | |
734 } | |
735 | |
736 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
737 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
738 continue; | |
739 } | |
740 | |
741 if (value[i].len > sizeof("builtin:") - 1 | |
742 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
743 == 0) | |
744 { | |
745 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
746 value[i].len - (sizeof("builtin:") - 1)); | |
747 | |
748 if (n == NGX_ERROR) { | |
749 goto invalid; | |
750 } | |
751 | |
752 scf->builtin_session_cache = n; | |
753 | |
754 continue; | |
755 } | |
756 | |
757 if (value[i].len > sizeof("shared:") - 1 | |
758 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
759 == 0) | |
760 { | |
761 len = 0; | |
762 | |
763 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
764 if (value[i].data[j] == ':') { | |
765 break; | |
766 } | |
767 | |
768 len++; | |
769 } | |
770 | |
771 if (len == 0) { | |
772 goto invalid; | |
773 } | |
774 | |
775 name.len = len; | |
776 name.data = value[i].data + sizeof("shared:") - 1; | |
777 | |
778 size.len = value[i].len - j - 1; | |
779 size.data = name.data + len + 1; | |
780 | |
781 n = ngx_parse_size(&size); | |
782 | |
783 if (n == NGX_ERROR) { | |
784 goto invalid; | |
785 } | |
786 | |
787 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
788 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
789 "session cache \"%V\" is too small", | |
790 &value[i]); | |
791 | |
792 return NGX_CONF_ERROR; | |
793 } | |
794 | |
795 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
796 &ngx_stream_ssl_module); | |
797 if (scf->shm_zone == NULL) { | |
798 return NGX_CONF_ERROR; | |
799 } | |
800 | |
801 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
802 | |
803 continue; | |
804 } | |
805 | |
806 goto invalid; | |
807 } | |
808 | |
809 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
810 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
811 } | |
812 | |
813 return NGX_CONF_OK; | |
814 | |
815 invalid: | |
816 | |
817 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
818 "invalid session cache \"%V\"", &value[i]); | |
819 | |
820 return NGX_CONF_ERROR; | |
821 } | |
6693 | 822 |
823 | |
824 static ngx_int_t | |
825 ngx_stream_ssl_init(ngx_conf_t *cf) | |
826 { | |
827 ngx_stream_handler_pt *h; | |
828 ngx_stream_core_main_conf_t *cmcf; | |
829 | |
830 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
831 | |
832 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
833 if (h == NULL) { | |
834 return NGX_ERROR; | |
835 } | |
836 | |
837 *h = ngx_stream_ssl_handler; | |
838 | |
839 return NGX_OK; | |
840 } |