Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_ssl_module.c @ 8700:b09f055daa4e quic
QUIC: fixed handling of RETIRE_CONNECTION_ID frame.
Previously, the retired socket was not closed if it didn't match
active or backup.
New sockets could not be created (due to count limit), since retired socket
was not closed before calling ngx_quic_create_sockets().
When replacing retired socket, new socket is only requested after closing
old one, to avoid hitting the limit on the number of active connection ids.
Together with added restrictions, this fixes an issue when a current socket
could be closed during migration, recreated and erroneously reused leading
to null pointer dereference.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Thu, 18 Nov 2021 14:19:36 +0300 |
parents | 61d0fa67b55e |
children | 5c86189a1c1b |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
8664
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8660
diff
changeset
|
26 static int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, |
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8660
diff
changeset
|
27 void *arg); |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
28 #endif |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
29 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
30 static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
31 const unsigned char **out, unsigned char *outlen, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
32 const unsigned char *in, unsigned int inlen, void *arg); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
33 #endif |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
34 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
35 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
36 #endif |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
37 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
38 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
39 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
40 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
41 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
42 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 43 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
44 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
45 void *child); | |
46 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
47 static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
48 ngx_stream_ssl_conf_t *conf); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
49 |
6115 | 50 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
51 void *conf); | |
52 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
53 void *conf); | |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
54 static char *ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
55 void *conf); |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
56 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
57 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
58 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
59 |
6693 | 60 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 61 |
62 | |
63 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
64 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
65 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
66 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
67 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
68 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
69 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
6115 | 70 { ngx_null_string, 0 } |
71 }; | |
72 | |
73 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
74 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
75 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
76 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
77 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
78 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
79 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
80 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
81 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
82 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
83 static ngx_conf_post_t ngx_stream_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
84 { ngx_stream_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
85 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
86 |
6115 | 87 static ngx_command_t ngx_stream_ssl_commands[] = { |
88 | |
89 { ngx_string("ssl_handshake_timeout"), | |
90 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
91 ngx_conf_set_msec_slot, | |
92 NGX_STREAM_SRV_CONF_OFFSET, | |
93 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
94 NULL }, | |
95 | |
96 { ngx_string("ssl_certificate"), | |
97 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
98 ngx_conf_set_str_array_slot, |
6115 | 99 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
100 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 101 NULL }, |
102 | |
103 { ngx_string("ssl_certificate_key"), | |
104 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
105 ngx_conf_set_str_array_slot, |
6115 | 106 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
107 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 108 NULL }, |
109 | |
110 { ngx_string("ssl_password_file"), | |
111 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
112 ngx_stream_ssl_password_file, | |
113 NGX_STREAM_SRV_CONF_OFFSET, | |
114 0, | |
115 NULL }, | |
116 | |
117 { ngx_string("ssl_dhparam"), | |
118 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
119 ngx_conf_set_str_slot, | |
120 NGX_STREAM_SRV_CONF_OFFSET, | |
121 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
122 NULL }, | |
123 | |
124 { ngx_string("ssl_ecdh_curve"), | |
125 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
126 ngx_conf_set_str_slot, | |
127 NGX_STREAM_SRV_CONF_OFFSET, | |
128 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
129 NULL }, | |
130 | |
131 { ngx_string("ssl_protocols"), | |
132 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
133 ngx_conf_set_bitmask_slot, | |
134 NGX_STREAM_SRV_CONF_OFFSET, | |
135 offsetof(ngx_stream_ssl_conf_t, protocols), | |
136 &ngx_stream_ssl_protocols }, | |
137 | |
138 { ngx_string("ssl_ciphers"), | |
139 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
140 ngx_conf_set_str_slot, | |
141 NGX_STREAM_SRV_CONF_OFFSET, | |
142 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
143 NULL }, | |
144 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
148 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
149 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
150 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
151 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
152 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
153 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
154 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
155 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
156 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
157 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
158 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
159 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
160 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
161 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
162 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
163 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
164 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
165 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
166 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
167 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
168 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
169 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
170 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
171 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
172 |
6115 | 173 { ngx_string("ssl_prefer_server_ciphers"), |
174 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
175 ngx_conf_set_flag_slot, | |
176 NGX_STREAM_SRV_CONF_OFFSET, | |
177 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
178 NULL }, | |
179 | |
180 { ngx_string("ssl_session_cache"), | |
181 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
182 ngx_stream_ssl_session_cache, | |
183 NGX_STREAM_SRV_CONF_OFFSET, | |
184 0, | |
185 NULL }, | |
186 | |
187 { ngx_string("ssl_session_tickets"), | |
188 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
189 ngx_conf_set_flag_slot, | |
190 NGX_STREAM_SRV_CONF_OFFSET, | |
191 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
192 NULL }, | |
193 | |
194 { ngx_string("ssl_session_ticket_key"), | |
195 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
196 ngx_conf_set_str_array_slot, | |
197 NGX_STREAM_SRV_CONF_OFFSET, | |
198 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
199 NULL }, | |
200 | |
201 { ngx_string("ssl_session_timeout"), | |
202 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
203 ngx_conf_set_sec_slot, | |
204 NGX_STREAM_SRV_CONF_OFFSET, | |
205 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
206 NULL }, | |
207 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
208 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
209 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
210 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
211 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
212 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
213 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
214 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
215 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
216 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
217 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
218 NGX_STREAM_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
219 offsetof(ngx_stream_ssl_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
220 &ngx_stream_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
221 |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
222 { ngx_string("ssl_alpn"), |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
223 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
224 ngx_stream_ssl_alpn, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
225 NGX_STREAM_SRV_CONF_OFFSET, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
226 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
227 NULL }, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
228 |
6115 | 229 ngx_null_command |
230 }; | |
231 | |
232 | |
233 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
234 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 235 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
236 |
6115 | 237 NULL, /* create main configuration */ |
238 NULL, /* init main configuration */ | |
239 | |
240 ngx_stream_ssl_create_conf, /* create server configuration */ | |
241 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
242 }; | |
243 | |
244 | |
245 ngx_module_t ngx_stream_ssl_module = { | |
246 NGX_MODULE_V1, | |
247 &ngx_stream_ssl_module_ctx, /* module context */ | |
248 ngx_stream_ssl_commands, /* module directives */ | |
249 NGX_STREAM_MODULE, /* module type */ | |
250 NULL, /* init master */ | |
251 NULL, /* init module */ | |
252 NULL, /* init process */ | |
253 NULL, /* init thread */ | |
254 NULL, /* exit thread */ | |
255 NULL, /* exit process */ | |
256 NULL, /* exit master */ | |
257 NGX_MODULE_V1_PADDING | |
258 }; | |
259 | |
260 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
261 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
262 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
263 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
264 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
265 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
266 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
267 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
268 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
269 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
270 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
271 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
272 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
273 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
274 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
275 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
276 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
277 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
278 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
279 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
280 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
281 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
282 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
283 |
8659
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
284 { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
285 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
286 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
287 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
288 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
289 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
290 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
291 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
292 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
293 |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
294 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
295 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
296 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
297 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
298 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
299 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
300 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
301 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
302 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
303 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
304 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
305 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
306 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
307 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
308 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
309 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
310 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
311 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
312 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
313 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
314 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
315 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
316 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
317 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
318 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
319 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
320 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
322 ngx_stream_null_variable |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
323 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
324 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
325 |
6115 | 326 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
327 | |
328 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
329 static ngx_int_t |
6693 | 330 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
331 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
333 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
334 ngx_int_t rv; |
6693 | 335 ngx_connection_t *c; |
336 ngx_stream_ssl_conf_t *sslcf; | |
337 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
338 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
339 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
340 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
341 |
6693 | 342 c = s->connection; |
343 | |
344 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
345 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
346 if (c->ssl == NULL) { |
6693 | 347 c->log->action = "SSL handshaking"; |
348 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
349 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
350 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
351 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
352 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
353 } |
6693 | 354 } |
355 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
356 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
357 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
358 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
359 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
360 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
361 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
362 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
363 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
364 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
365 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
366 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
367 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
368 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
369 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
370 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
371 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
372 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
373 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
374 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
375 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
376 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
377 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
378 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
379 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
380 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
381 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
382 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
383 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
384 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
385 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
386 |
6693 | 387 return NGX_OK; |
388 } | |
389 | |
390 | |
391 static ngx_int_t | |
392 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
393 { | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
394 ngx_int_t rc; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
395 ngx_stream_session_t *s; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
396 ngx_stream_ssl_conf_t *sslcf; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
397 ngx_stream_core_srv_conf_t *cscf; |
6693 | 398 |
399 s = c->data; | |
400 | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
401 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
402 |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
403 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
404 return NGX_ERROR; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
405 } |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
406 |
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
407 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
6693 | 408 return NGX_ERROR; |
409 } | |
410 | |
411 rc = ngx_ssl_handshake(c); | |
412 | |
413 if (rc == NGX_ERROR) { | |
414 return NGX_ERROR; | |
415 } | |
416 | |
417 if (rc == NGX_AGAIN) { | |
418 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
419 | |
420 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
421 | |
422 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
423 | |
424 return NGX_AGAIN; | |
425 } | |
426 | |
427 /* rc == NGX_OK */ | |
428 | |
429 return NGX_OK; | |
430 } | |
431 | |
432 | |
433 static void | |
434 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
435 { | |
436 ngx_stream_session_t *s; | |
437 | |
438 s = c->data; | |
439 | |
440 if (!c->ssl->handshaked) { | |
441 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
442 return; | |
443 } | |
444 | |
445 if (c->read->timer_set) { | |
446 ngx_del_timer(c->read); | |
447 } | |
448 | |
449 ngx_stream_core_run_phases(s); | |
450 } | |
451 | |
452 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
453 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
454 |
8664
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8660
diff
changeset
|
455 static int |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
456 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
457 { |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
458 return SSL_TLSEXT_ERR_OK; |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
459 } |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
460 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
461 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
462 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
463 |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
464 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
465 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
466 static int |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
467 ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
468 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
469 void *arg) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
470 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
471 ngx_str_t *alpn; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
472 #if (NGX_DEBUG) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
473 unsigned int i; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
474 ngx_connection_t *c; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
475 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
476 c = ngx_ssl_get_connection(ssl_conn); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
477 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
478 for (i = 0; i < inlen; i += in[i] + 1) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
479 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
480 "SSL ALPN supported by client: %*s", |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
481 (size_t) in[i], &in[i + 1]); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
482 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
483 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
484 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
485 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
486 alpn = arg; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
487 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
488 if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
489 alpn->len, in, inlen) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
490 != OPENSSL_NPN_NEGOTIATED) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
491 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
492 return SSL_TLSEXT_ERR_ALERT_FATAL; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
493 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
494 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
495 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
496 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
497 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
498 return SSL_TLSEXT_ERR_OK; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
499 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
500 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
501 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
502 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
503 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
504 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
505 |
8664
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8660
diff
changeset
|
506 static int |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
507 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
508 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
509 ngx_str_t cert, key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
510 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
511 ngx_connection_t *c; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
512 ngx_stream_session_t *s; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
513 ngx_stream_ssl_conf_t *sslcf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
514 ngx_stream_complex_value_t *certs, *keys; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
515 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
516 c = ngx_ssl_get_connection(ssl_conn); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
517 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
518 if (c->ssl->handshaked) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
519 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
520 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
521 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
522 s = c->data; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
523 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
524 sslcf = arg; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
525 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
526 nelts = sslcf->certificate_values->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
527 certs = sslcf->certificate_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
528 keys = sslcf->certificate_key_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
529 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
530 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
531 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
532 if (ngx_stream_complex_value(s, &certs[i], &cert) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
533 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
534 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
535 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
536 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
537 "ssl cert: \"%s\"", cert.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
538 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
539 if (ngx_stream_complex_value(s, &keys[i], &key) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
540 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
541 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
542 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
543 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
544 "ssl key: \"%s\"", key.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
545 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
546 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
547 sslcf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
548 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
549 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
550 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
551 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
552 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
553 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
554 return 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
555 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
556 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
557 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
558 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
559 |
6693 | 560 static ngx_int_t |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
561 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
562 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
563 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
564 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
565 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
566 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
567 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
568 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
569 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
570 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
571 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
572 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
573 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
574 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
575 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
576 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
577 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
578 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
579 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
580 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
581 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
582 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
583 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
584 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
585 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
586 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
587 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
588 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
589 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
590 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
591 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
592 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
593 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
594 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
595 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
596 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
597 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
598 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
599 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
600 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
601 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
602 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
603 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
604 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
605 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
606 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
607 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
608 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
609 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
610 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
611 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
612 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
613 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
614 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
615 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
616 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
617 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
618 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
619 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
620 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
621 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
622 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
623 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
624 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
625 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
626 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
627 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
628 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
629 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
630 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
631 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
632 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
633 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
634 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
635 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
636 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
637 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
638 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
639 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
640 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
641 |
6115 | 642 static void * |
643 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
644 { | |
645 ngx_stream_ssl_conf_t *scf; | |
646 | |
647 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
648 if (scf == NULL) { | |
649 return NULL; | |
650 } | |
651 | |
652 /* | |
653 * set by ngx_pcalloc(): | |
654 * | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
655 * scf->listen = 0; |
6115 | 656 * scf->protocols = 0; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
657 * scf->certificate_values = NULL; |
6115 | 658 * scf->dhparam = { 0, NULL }; |
659 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
660 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
661 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
662 * scf->crl = { 0, NULL }; |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
663 * scf->alpn = { 0, NULL }; |
6115 | 664 * scf->ciphers = { 0, NULL }; |
665 * scf->shm_zone = NULL; | |
666 */ | |
667 | |
668 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
669 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
670 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 671 scf->passwords = NGX_CONF_UNSET_PTR; |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
672 scf->conf_commands = NGX_CONF_UNSET_PTR; |
6115 | 673 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
674 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
675 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 676 scf->builtin_session_cache = NGX_CONF_UNSET; |
677 scf->session_timeout = NGX_CONF_UNSET; | |
678 scf->session_tickets = NGX_CONF_UNSET; | |
679 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
680 | |
681 return scf; | |
682 } | |
683 | |
684 | |
685 static char * | |
686 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
687 { | |
688 ngx_stream_ssl_conf_t *prev = parent; | |
689 ngx_stream_ssl_conf_t *conf = child; | |
690 | |
691 ngx_pool_cleanup_t *cln; | |
692 | |
693 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
694 prev->handshake_timeout, 60000); | |
695 | |
696 ngx_conf_merge_value(conf->session_timeout, | |
697 prev->session_timeout, 300); | |
698 | |
699 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
700 prev->prefer_server_ciphers, 0); | |
701 | |
702 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
703 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 704 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
705 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
706 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
707 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
708 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
709 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
710 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
711 NULL); |
6115 | 712 |
713 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
714 | |
715 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
716 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
717 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
718 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
719 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
720 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
721 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
722 ngx_conf_merge_str_value(conf->alpn, prev->alpn, ""); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
723 |
6115 | 724 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
725 NGX_DEFAULT_ECDH_CURVE); | |
726 | |
727 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
728 | |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
729 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
730 |
6115 | 731 |
732 conf->ssl.log = cf->log; | |
733 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
734 if (!conf->listen) { |
6115 | 735 return NGX_CONF_OK; |
736 } | |
737 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
738 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
739 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
740 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
741 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
742 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
743 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
744 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
745 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
746 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
747 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
748 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
749 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
750 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
751 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
752 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
753 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
754 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
6115 | 755 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
756 "no \"ssl_certificate_key\" is defined " | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
757 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
758 "the \"listen ... ssl\" directive in %s:%ui", |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
759 ((ngx_str_t *) conf->certificates->elts) |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
760 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
761 conf->file, conf->line); |
6115 | 762 return NGX_CONF_ERROR; |
763 } | |
764 | |
765 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
766 return NGX_CONF_ERROR; | |
767 } | |
768 | |
769 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
770 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7471
diff
changeset
|
771 ngx_ssl_cleanup_ctx(&conf->ssl); |
6115 | 772 return NGX_CONF_ERROR; |
773 } | |
774 | |
775 cln->handler = ngx_ssl_cleanup_ctx; | |
776 cln->data = &conf->ssl; | |
777 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
778 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
779 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
780 ngx_stream_ssl_servername); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
781 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
782 |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
783 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
784 if (conf->alpn.len) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
785 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
786 &conf->alpn); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
787 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
788 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
789 |
8578
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
790 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
791 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
792 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
793 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
794 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
795 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
796 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
797 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
6115 | 798 return NGX_CONF_ERROR; |
799 } | |
800 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
801 if (conf->certificate_values) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
802 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
803 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
804 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
805 /* install callback to lookup certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
806 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
807 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf); |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
808 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
809 #else |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
810 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
811 "variables in " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
812 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
813 "directives are not supported on this platform"); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
814 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
815 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
816 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
817 } else { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
818 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
819 /* configure certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
820 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
821 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
822 conf->certificate_keys, conf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
823 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
824 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
825 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
826 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
827 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
828 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
829 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
830 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
831 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
832 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
833 "no ssl_client_certificate for ssl_verify_client"); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
834 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
835 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
836 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
837 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
838 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
839 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
840 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
841 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
842 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
843 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
844 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
845 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
846 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
847 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
848 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
849 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
850 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
851 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
852 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
853 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
854 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
855 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
856 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
857 |
6115 | 858 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
859 return NGX_CONF_ERROR; | |
860 } | |
861 | |
862 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
863 return NGX_CONF_ERROR; | |
864 } | |
865 | |
866 ngx_conf_merge_value(conf->builtin_session_cache, | |
867 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
868 | |
869 if (conf->shm_zone == NULL) { | |
870 conf->shm_zone = prev->shm_zone; | |
871 } | |
872 | |
873 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7464
diff
changeset
|
874 conf->certificates, conf->builtin_session_cache, |
6115 | 875 conf->shm_zone, conf->session_timeout) |
876 != NGX_OK) | |
877 { | |
878 return NGX_CONF_ERROR; | |
879 } | |
880 | |
881 ngx_conf_merge_value(conf->session_tickets, | |
882 prev->session_tickets, 1); | |
883 | |
884 #ifdef SSL_OP_NO_TICKET | |
885 if (!conf->session_tickets) { | |
886 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
887 } | |
888 #endif | |
889 | |
890 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
891 prev->session_ticket_keys, NULL); | |
892 | |
893 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
894 != NGX_OK) | |
895 { | |
896 return NGX_CONF_ERROR; | |
897 } | |
898 | |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
899 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
900 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
901 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
902 |
6115 | 903 return NGX_CONF_OK; |
904 } | |
905 | |
906 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
907 static ngx_int_t |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
908 ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
909 ngx_stream_ssl_conf_t *conf) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
910 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
911 ngx_str_t *cert, *key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
912 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
913 ngx_stream_complex_value_t *cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
914 ngx_stream_compile_complex_value_t ccv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
915 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
916 cert = conf->certificates->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
917 key = conf->certificate_keys->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
918 nelts = conf->certificates->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
919 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
920 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
921 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
922 if (ngx_stream_script_variables_count(&cert[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
923 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
924 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
925 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
926 if (ngx_stream_script_variables_count(&key[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
927 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
928 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
929 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
930 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
931 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
932 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
933 found: |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
934 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
935 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
936 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
937 if (conf->certificate_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
938 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
939 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
940 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
941 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
942 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
943 if (conf->certificate_key_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
944 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
945 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
946 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
947 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
948 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
949 cv = ngx_array_push(conf->certificate_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
950 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
951 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
952 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
953 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
954 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
955 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
956 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
957 ccv.value = &cert[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
958 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
959 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
960 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
961 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
962 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
963 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
964 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
965 cv = ngx_array_push(conf->certificate_key_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
966 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
967 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
968 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
969 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
970 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
971 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
972 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
973 ccv.value = &key[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
974 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
975 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
976 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
977 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
978 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
979 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
980 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
981 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
982 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
983 if (conf->passwords == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
984 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
985 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
986 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
987 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
988 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
989 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
990 |
6115 | 991 static char * |
992 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
993 { | |
994 ngx_stream_ssl_conf_t *scf = conf; | |
995 | |
996 ngx_str_t *value; | |
997 | |
998 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
999 return "is duplicate"; | |
1000 } | |
1001 | |
1002 value = cf->args->elts; | |
1003 | |
1004 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
1005 | |
1006 if (scf->passwords == NULL) { | |
1007 return NGX_CONF_ERROR; | |
1008 } | |
1009 | |
1010 return NGX_CONF_OK; | |
1011 } | |
1012 | |
1013 | |
1014 static char * | |
1015 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
1016 { | |
1017 ngx_stream_ssl_conf_t *scf = conf; | |
1018 | |
1019 size_t len; | |
1020 ngx_str_t *value, name, size; | |
1021 ngx_int_t n; | |
1022 ngx_uint_t i, j; | |
1023 | |
1024 value = cf->args->elts; | |
1025 | |
1026 for (i = 1; i < cf->args->nelts; i++) { | |
1027 | |
1028 if (ngx_strcmp(value[i].data, "off") == 0) { | |
1029 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
1030 continue; | |
1031 } | |
1032 | |
1033 if (ngx_strcmp(value[i].data, "none") == 0) { | |
1034 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
1035 continue; | |
1036 } | |
1037 | |
1038 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
1039 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
1040 continue; | |
1041 } | |
1042 | |
1043 if (value[i].len > sizeof("builtin:") - 1 | |
1044 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
1045 == 0) | |
1046 { | |
1047 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
1048 value[i].len - (sizeof("builtin:") - 1)); | |
1049 | |
1050 if (n == NGX_ERROR) { | |
1051 goto invalid; | |
1052 } | |
1053 | |
1054 scf->builtin_session_cache = n; | |
1055 | |
1056 continue; | |
1057 } | |
1058 | |
1059 if (value[i].len > sizeof("shared:") - 1 | |
1060 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
1061 == 0) | |
1062 { | |
1063 len = 0; | |
1064 | |
1065 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
1066 if (value[i].data[j] == ':') { | |
1067 break; | |
1068 } | |
1069 | |
1070 len++; | |
1071 } | |
1072 | |
1073 if (len == 0) { | |
1074 goto invalid; | |
1075 } | |
1076 | |
1077 name.len = len; | |
1078 name.data = value[i].data + sizeof("shared:") - 1; | |
1079 | |
1080 size.len = value[i].len - j - 1; | |
1081 size.data = name.data + len + 1; | |
1082 | |
1083 n = ngx_parse_size(&size); | |
1084 | |
1085 if (n == NGX_ERROR) { | |
1086 goto invalid; | |
1087 } | |
1088 | |
1089 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1090 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1091 "session cache \"%V\" is too small", | |
1092 &value[i]); | |
1093 | |
1094 return NGX_CONF_ERROR; | |
1095 } | |
1096 | |
1097 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1098 &ngx_stream_ssl_module); | |
1099 if (scf->shm_zone == NULL) { | |
1100 return NGX_CONF_ERROR; | |
1101 } | |
1102 | |
1103 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
1104 | |
1105 continue; | |
1106 } | |
1107 | |
1108 goto invalid; | |
1109 } | |
1110 | |
1111 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
1112 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
1113 } | |
1114 | |
1115 return NGX_CONF_OK; | |
1116 | |
1117 invalid: | |
1118 | |
1119 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1120 "invalid session cache \"%V\"", &value[i]); | |
1121 | |
1122 return NGX_CONF_ERROR; | |
1123 } | |
6693 | 1124 |
1125 | |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1126 static char * |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1127 ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1128 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1129 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1130 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1131 ngx_stream_ssl_conf_t *scf = conf; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1132 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1133 u_char *p; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1134 size_t len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1135 ngx_str_t *value; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1136 ngx_uint_t i; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1137 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1138 if (scf->alpn.len) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1139 return "is duplicate"; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1140 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1141 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1142 value = cf->args->elts; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1143 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1144 len = 0; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1145 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1146 for (i = 1; i < cf->args->nelts; i++) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1147 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1148 if (value[i].len > 255) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1149 return "protocol too long"; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1150 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1151 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1152 len += value[i].len + 1; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1153 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1154 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1155 scf->alpn.data = ngx_pnalloc(cf->pool, len); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1156 if (scf->alpn.data == NULL) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1157 return NGX_CONF_ERROR; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1158 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1159 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1160 p = scf->alpn.data; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1161 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1162 for (i = 1; i < cf->args->nelts; i++) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1163 *p++ = value[i].len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1164 p = ngx_cpymem(p, value[i].data, value[i].len); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1165 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1166 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1167 scf->alpn.len = len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1168 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1169 return NGX_CONF_OK; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1170 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1171 #else |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1172 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1173 "the \"ssl_alpn\" directive requires OpenSSL " |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1174 "with ALPN support"); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1175 return NGX_CONF_ERROR; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1176 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1177 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1178 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1179 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
1180 static char * |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1181 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1182 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1183 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1184 return "is not supported on this platform"; |
8336
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1185 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1186 return NGX_CONF_OK; |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1187 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1188 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1189 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1190 |
6693 | 1191 static ngx_int_t |
1192 ngx_stream_ssl_init(ngx_conf_t *cf) | |
1193 { | |
8632
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1194 ngx_uint_t i; |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1195 ngx_stream_listen_t *listen; |
6693 | 1196 ngx_stream_handler_pt *h; |
8632
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1197 ngx_stream_ssl_conf_t *scf; |
6693 | 1198 ngx_stream_core_main_conf_t *cmcf; |
1199 | |
1200 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
1201 | |
1202 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
1203 if (h == NULL) { | |
1204 return NGX_ERROR; | |
1205 } | |
1206 | |
1207 *h = ngx_stream_ssl_handler; | |
1208 | |
8632
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1209 listen = cmcf->listen.elts; |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1210 |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1211 for (i = 0; i < cmcf->listen.nelts; i++) { |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1212 if (!listen[i].quic) { |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1213 continue; |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1214 } |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1215 |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1216 scf = listen[i].ctx->srv_conf[ngx_stream_ssl_module.ctx_index]; |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1217 |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1218 if (scf->certificates && !(scf->protocols & NGX_SSL_TLSv1_3)) { |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1219 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1220 "\"ssl_protocols\" must enable TLSv1.3 for " |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1221 "the \"listen ... quic\" directive in %s:%ui", |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1222 scf->file, scf->line); |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1223 return NGX_ERROR; |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1224 } |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1225 } |
a550d4fa3581
Stream: detect "listen .. quic" without TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8578
diff
changeset
|
1226 |
6693 | 1227 return NGX_OK; |
1228 } |