Mercurial > hg > nginx-vendor-current

comparison src/event/ngx_event_openssl.c @ 510:24b676623d4f NGINX_0_8_7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.8.7 *) Change: minimum supported OpenSSL version is 0.9.7. *) Change: the "ask" parameter of the "ssl_verify_client" directive was changed to the "optional" parameter and now it checks a client certificate if it was offered. Thanks to Brice Figureau. *) Feature: the $ssl_client_verify variable. Thanks to Brice Figureau. *) Feature: the "ssl_crl" directive. Thanks to Brice Figureau. *) Feature: the "proxy" parameter of the "geo" directive. *) Feature: the "image_filter" directive supports variables for setting size. *) Bugfix: the $ssl_client_cert variable usage corrupted memory; the bug had appeared in 0.7.7. Thanks to Sergey Zhuravlev. *) Bugfix: "proxy_pass_header" and "fastcgi_pass_header" directives did not pass to a client the "X-Accel-Redirect", "X-Accel-Limit-Rate", "X-Accel-Buffering", and "X-Accel-Charset" lines from backend response header. Thanks to Maxim Dounin. *) Bugfix: in handling "Last-Modified" and "Accept-Ranges" backend response header lines; the bug had appeared in 0.7.44. Thanks to Maxim Dounin. *) Bugfix: the "[alert] zero size buf" error if subrequest returns an empty response; the bug had appeared in 0.8.5.
author Igor Sysoev <http://sysoev.ru>
date Mon, 27 Jul 2009 00:00:00 +0400
parents f39b9e29530d
children 4c5d2c627a6c
comparison
equal deleted inserted replaced
509:41f4e459ace8 510:24b676623d4f
95 95
96 96
97 ngx_int_t 97 ngx_int_t
98 ngx_ssl_init(ngx_log_t *log) 98 ngx_ssl_init(ngx_log_t *log)
99 { 99 {
100 #if OPENSSL_VERSION_NUMBER >= 0x00907000
101 OPENSSL_config(NULL); 100 OPENSSL_config(NULL);
102 #endif
103 101
104 SSL_library_init(); 102 SSL_library_init();
105 SSL_load_error_strings(); 103 SSL_load_error_strings();
106 104
107 #if (NGX_SSL_ENGINE)
108 ENGINE_load_builtin_engines(); 105 ENGINE_load_builtin_engines();
109 #endif
110 106
111 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 107 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
112 108
113 if (ngx_ssl_connection_index == -1) { 109 if (ngx_ssl_connection_index == -1) {
114 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); 110 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
167 163
168 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); 164 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
169 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); 165 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); 166 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
171 167
172 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
173 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); 168 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
174 #endif
175 169
176 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); 170 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
177 171
178 if (ngx_ssl_protocols[protocols >> 1] != 0) { 172 if (ngx_ssl_protocols[protocols >> 1] != 0) {
179 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); 173 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
260 */ 254 */
261 255
262 ERR_clear_error(); 256 ERR_clear_error();
263 257
264 SSL_CTX_set_client_CA_list(ssl->ctx, list); 258 SSL_CTX_set_client_CA_list(ssl->ctx, list);
259
260 return NGX_OK;
261 }
262
263
264 ngx_int_t
265 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
266 {
267 X509_STORE *store;
268 X509_LOOKUP *lookup;
269
270 if (crl->len == 0) {
271 return NGX_OK;
272 }
273
274 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
275 return NGX_ERROR;
276 }
277
278 store = SSL_CTX_get_cert_store(ssl->ctx);
279
280 if (store == NULL) {
281 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
282 "SSL_CTX_get_cert_store() failed");
283 return NGX_ERROR;
284 }
285
286 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
287
288 if (lookup == NULL) {
289 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
290 "X509_STORE_add_lookup() failed");
291 return NGX_ERROR;
292 }
293
294 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
295 == 0)
296 {
297 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
298 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
299 return NGX_ERROR;
300 }
301
302 X509_STORE_set_flags(store,
303 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
265 304
266 return NGX_OK; 305 return NGX_OK;
267 } 306 }
268 307
269 308
1199 if (sslerr == SSL_ERROR_SYSCALL) { 1238 if (sslerr == SSL_ERROR_SYSCALL) {
1200 1239
1201 if (err == NGX_ECONNRESET 1240 if (err == NGX_ECONNRESET
1202 || err == NGX_EPIPE 1241 || err == NGX_EPIPE
1203 || err == NGX_ENOTCONN 1242 || err == NGX_ENOTCONN
1204 #if !(NGX_CRIT_ETIMEDOUT)
1205 || err == NGX_ETIMEDOUT 1243 || err == NGX_ETIMEDOUT
1206 #endif
1207 || err == NGX_ECONNREFUSED 1244 || err == NGX_ECONNREFUSED
1208 || err == NGX_ENETDOWN 1245 || err == NGX_ENETDOWN
1209 || err == NGX_ENETUNREACH 1246 || err == NGX_ENETUNREACH
1210 || err == NGX_EHOSTDOWN 1247 || err == NGX_EHOSTDOWN
1211 || err == NGX_EHOSTUNREACH) 1248 || err == NGX_EHOSTUNREACH)
1972 return NGX_ERROR; 2009 return NGX_ERROR;
1973 } 2010 }
1974 2011
1975 p = s->data; 2012 p = s->data;
1976 2013
1977 for (i = 0; i < len; i++) { 2014 for (i = 0; i < cert.len - 1; i++) {
1978 *p++ = cert.data[i]; 2015 *p++ = cert.data[i];
1979 if (cert.data[i] == LF) { 2016 if (cert.data[i] == LF) {
1980 *p++ = '\t'; 2017 *p++ = '\t';
1981 } 2018 }
1982 } 2019 }
2106 2143
2107 return NGX_OK; 2144 return NGX_OK;
2108 } 2145 }
2109 2146
2110 2147
2148 ngx_int_t
2149 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2150 {
2151 X509 *cert;
2152
2153 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
2154 s->len = sizeof("FAILED") - 1;
2155 s->data = (u_char *) "FAILED";
2156
2157 return NGX_OK;
2158 }
2159
2160 cert = SSL_get_peer_certificate(c->ssl->connection);
2161
2162 if (cert) {
2163 s->len = sizeof("SUCCESS") - 1;
2164 s->data = (u_char *) "SUCCESS";
2165
2166 } else {
2167 s->len = sizeof("NONE") - 1;
2168 s->data = (u_char *) "NONE";
2169 }
2170
2171 X509_free(cert);
2172
2173 return NGX_OK;
2174 }
2175
2176
2111 static void * 2177 static void *
2112 ngx_openssl_create_conf(ngx_cycle_t *cycle) 2178 ngx_openssl_create_conf(ngx_cycle_t *cycle)
2113 { 2179 {
2114 ngx_openssl_conf_t *oscf; 2180 ngx_openssl_conf_t *oscf;
2115 2181
2129 2195
2130 2196
2131 static char * 2197 static char *
2132 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) 2198 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
2133 { 2199 {
2134 #if (NGX_SSL_ENGINE)
2135 ngx_openssl_conf_t *oscf = conf; 2200 ngx_openssl_conf_t *oscf = conf;
2136 2201
2137 ENGINE *engine; 2202 ENGINE *engine;
2138 ngx_str_t *value; 2203 ngx_str_t *value;
2139 2204
2164 } 2229 }
2165 2230
2166 ENGINE_free(engine); 2231 ENGINE_free(engine);
2167 2232
2168 return NGX_CONF_OK; 2233 return NGX_CONF_OK;
2169
2170 #else
2171
2172 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2173 "\"ssl_engine\" directive is available only in "
2174 "OpenSSL 0.9.7 and higher,");
2175
2176 return NGX_CONF_ERROR;
2177
2178 #endif
2179 } 2234 }
2180 2235
2181 2236
2182 static void 2237 static void
2183 ngx_openssl_exit(ngx_cycle_t *cycle) 2238 ngx_openssl_exit(ngx_cycle_t *cycle)
2184 { 2239 {
2185 #if (NGX_SSL_ENGINE)
2186 ENGINE_cleanup(); 2240 ENGINE_cleanup();
2187 #endif 2241 }
2188 }