nginx-vendor-0-7: src/http/modules/ngx_http_ssl

comparison src/http/modules/ngx_http_ssl_module.c @ 502:89dc5654117c NGINX_0_7_63

nginx 0.7.63 *) Security: now "/../" are disabled in "Destination" request header line. *) Change: minimum supported OpenSSL version is 0.9.7. *) Change: the "ask" parameter of the "ssl_verify_client" directive was changed to the "optional" parameter and now it checks a client certificate if it was offered. Thanks to Brice Figureau. *) Feature: now the "-V" switch shows TLS SNI support. *) Feature: the $ssl_client_verify variable. Thanks to Brice Figureau. *) Feature: the "ssl_crl" directive. Thanks to Brice Figureau. *) Bugfix: the $ssl_client_cert variable usage corrupted memory; the bug had appeared in 0.7.7. Thanks to Sergey Zhuravlev. *) Feature: now the start cache loader runs in a separate process; this should improve large caches handling. *) Feature: now temporary files and permanent storage area may reside at different file systems. *) Bugfix: nginx counted incorrectly disk cache size. *) Change: now directive "gzip_disable msie6" does not disable gzipping for MSIE 6.0 SV1. *) Bugfix: nginx always added "Vary: Accept-Encoding" response header line, if both "gzip_static" and "gzip_vary" were on. *) Feature: the "proxy" parameter of the "geo" directive. *) Feature: the ngx_http_geoip_module. *) Feature: the "limit_rate_after" directive. Thanks to Ivan Debnar. *) Feature: the "limit_req_log_level" and "limit_conn_log_level" directives. *) Bugfix: now "limit_req" directive conforms to the leaky bucket algorithm. Thanks to Maxim Dounin. *) Bugfix: in ngx_http_limit_req_module. Thanks to Maxim Dounin. *) Bugfix: now nginx allows underscores in a request method. *) Bugfix: "proxy_pass_header" and "fastcgi_pass_header" directives did not pass to a client the "X-Accel-Redirect", "X-Accel-Limit-Rate", "X-Accel-Buffering", and "X-Accel-Charset" lines from backend response header. Thanks to Maxim Dounin. *) Bugfix: in handling "Last-Modified" and "Accept-Ranges" backend response header lines; the bug had appeared in 0.7.44. Thanks to Maxim Dounin. *) Feature: the "image_filter_transparency" directive. *) Feature: the "image_filter" directive supports variables for setting size. *) Bugfix: in PNG alpha-channel support in the ngx_http_image_filter_module. *) Bugfix: in transparency support in the ngx_http_image_filter_module. *) Feature: now several "perl_modules" directives may be used. *) Bugfix: ngx_http_perl_module responses did not work in subrequests. *) Bugfix: nginx sent '\0' in a "Location" response header line on MKCOL request. Thanks to Xie Zhenye. *) Bugfix: an "error_page" directive did not redirect a 413 error; the bug had appeared in 0.6.10. *) Bugfix: in memory allocation error handling. Thanks to Maxim Dounin and Kirill A. Korinskiy.

author	Igor Sysoev <http://sysoev.ru>
date	Mon, 26 Oct 2009 00:00:00 +0300
parents	549994537f15
children	b9fdcaf2062b

comparison

equal deleted inserted replaced

-:dc87c92181c7
+:89dc5654117c
 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
-#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
-static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd,
-void *conf);
-static char  ngx_http_ssl_openssl097[] = "OpenSSL 0.9.7 and higher";
-#endif
 static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
 static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
 { ngx_string("off"), 0 },
 { ngx_string("on"), 1 },
-{ ngx_string("ask"), 2 },
+{ ngx_string("optional"), 2 },
 { ngx_null_string, 0 }
 };
 static ngx_command_t  ngx_http_ssl_commands[] = {
 offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
 NULL },
 { ngx_string("ssl_prefer_server_ciphers"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
 ngx_conf_set_flag_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
 NULL },
-#else
-ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 },
-#endif
 { ngx_string("ssl_session_cache"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
 ngx_http_ssl_session_cache,
 NGX_HTTP_SRV_CONF_OFFSET,
 { ngx_string("ssl_session_timeout"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
 ngx_conf_set_sec_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
+NULL },
+{ ngx_string("ssl_crl"),
+NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ngx_conf_set_str_slot,
+NGX_HTTP_SRV_CONF_OFFSET,
+offsetof(ngx_http_ssl_srv_conf_t, crl),
 NULL },
 ngx_null_command
 };
 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
+{ ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
+(uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
 { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };
 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
 {
 ngx_http_ssl_srv_conf_t  *sscf;
 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
 if (sscf == NULL) {
-return NGX_CONF_ERROR;
+return NULL;
 }
 /*
 * set by ngx_pcalloc():
 *
 *     sscf->protocols = 0;
 *     sscf->certificate = { 0, NULL };
 *     sscf->certificate_key = { 0, NULL };
 *     sscf->dhparam = { 0, NULL };
 *     sscf->client_certificate = { 0, NULL };
+*     sscf->crl = { 0, NULL };
 *     sscf->ciphers.len = 0;
 *     sscf->ciphers.data = NULL;
 *     sscf->shm_zone = NULL;
 */
 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
 "");
+ngx_conf_merge_str_value(conf->crl, prev->crl, "");
 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 conf->ssl.log = cf->log;
 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
 ngx_http_ssl_servername)
 == 0)
 {
-ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+ngx_log_error(NGX_LOG_WARN, cf->log, 0,
-"SSL_CTX_set_tlsext_servername_callback() failed");
+"nginx was built with SNI support, however, now it is linked "
-return NGX_CONF_ERROR;
+"dynamically to an OpenSSL library which has no tlsext support, "
+"therefore SNI is not available");
 }
 #endif
 cln = ngx_pool_cleanup_add(cf->pool, 0);
 conf->verify_depth)
 != NGX_OK)
 {
 return NGX_CONF_ERROR;
 }
-}
+if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+return NGX_CONF_ERROR;
+}
+}
 if (conf->prefer_server_ciphers) {
 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 }
-#endif
 /* a temporary 512-bit RSA key is required for export versions of MSIE */
 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
 "invalid session cache \"%V\"", &value[i]);
 return NGX_CONF_ERROR;
 }
-#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
-static char *
-ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
-{
-ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-"\"%V\" directive is available only in %s,",
-&cmd->name, cmd->post);
-return NGX_CONF_ERROR;
-}
-#endif

Mercurial > hg > nginx-vendor-0-7

comparison src/http/modules/ngx_http_ssl_module.c @ 502:89dc5654117c NGINX_0_7_63