Mercurial > hg > nginx-vendor-current

comparison src/http/modules/ngx_http_ssl_module.c @ 632:5b73504dd4ba NGINX_1_1_0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.1.0 *) Feature: cache loader run time decrease. *) Feature: "loader_files", "loader_sleep", and "loader_threshold" options of the "proxy/fastcgi/scgi/uwsgi_cache_path" directives. *) Feature: loading time decrease of configuration with large number of HTTPS sites. *) Feature: now nginx supports ECDHE key exchange ciphers. Thanks to Adrian Kotelba. *) Feature: the "lingering_close" directive. Thanks to Maxim Dounin. *) Bugfix: in closing connection for pipelined requests. Thanks to Maxim Dounin. *) Bugfix: nginx did not disable gzipping if client sent "gzip;q=0" in "Accept-Encoding" request header line. *) Bugfix: in timeout in unbuffered proxied mode. Thanks to Maxim Dounin. *) Bugfix: memory leaks when a "proxy_pass" directive contains variables and proxies to an HTTPS backend. Thanks to Maxim Dounin. *) Bugfix: in parameter validaiton of a "proxy_pass" directive with variables. Thanks to Lanshun Zhou. *) Bugfix: SSL did not work on QNX. Thanks to Maxim Dounin. *) Bugfix: SSL modules could not be built by gcc 4.6 without --with-debug option.
author Igor Sysoev <http://sysoev.ru>
date Mon, 01 Aug 2011 00:00:00 +0400
parents ad6fee8052d7
children 23ef0645ea57
comparison
equal deleted inserted replaced
631:9b978fa3cd33 632:5b73504dd4ba
11 11
12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
13 ngx_pool_t *pool, ngx_str_t *s); 13 ngx_pool_t *pool, ngx_str_t *s);
14 14
15 15
16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" 16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
17 #define NGX_DEFAULT_ECDH_CURVE "prime256v1"
17 18
18 19
19 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, 20 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
20 ngx_http_variable_value_t *v, uintptr_t data); 21 ngx_http_variable_value_t *v, uintptr_t data);
21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, 22 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
74 { ngx_string("ssl_dhparam"), 75 { ngx_string("ssl_dhparam"),
75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, 76 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
76 ngx_conf_set_str_slot, 77 ngx_conf_set_str_slot,
77 NGX_HTTP_SRV_CONF_OFFSET, 78 NGX_HTTP_SRV_CONF_OFFSET,
78 offsetof(ngx_http_ssl_srv_conf_t, dhparam), 79 offsetof(ngx_http_ssl_srv_conf_t, dhparam),
80 NULL },
81
82 { ngx_string("ssl_ecdh_curve"),
83 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
84 ngx_conf_set_str_slot,
85 NGX_HTTP_SRV_CONF_OFFSET,
86 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
79 NULL }, 87 NULL },
80 88
81 { ngx_string("ssl_protocols"), 89 { ngx_string("ssl_protocols"),
82 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, 90 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
83 ngx_conf_set_bitmask_slot, 91 ngx_conf_set_bitmask_slot,
310 * 318 *
311 * sscf->protocols = 0; 319 * sscf->protocols = 0;
312 * sscf->certificate = { 0, NULL }; 320 * sscf->certificate = { 0, NULL };
313 * sscf->certificate_key = { 0, NULL }; 321 * sscf->certificate_key = { 0, NULL };
314 * sscf->dhparam = { 0, NULL }; 322 * sscf->dhparam = { 0, NULL };
323 * sscf->ecdh_curve = { 0, NULL };
315 * sscf->client_certificate = { 0, NULL }; 324 * sscf->client_certificate = { 0, NULL };
316 * sscf->crl = { 0, NULL }; 325 * sscf->crl = { 0, NULL };
317 * sscf->ciphers = { 0, NULL }; 326 * sscf->ciphers = { 0, NULL };
318 * sscf->shm_zone = NULL; 327 * sscf->shm_zone = NULL;
319 */ 328 */
357 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); 366 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
358 367
359 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, 368 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
360 ""); 369 "");
361 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); 370 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
371
372 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
373 NGX_DEFAULT_ECDH_CURVE);
362 374
363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 375 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
364 376
365 377
366 conf->ssl.log = cf->log; 378 conf->ssl.log = cf->log;
463 if (conf->prefer_server_ciphers) { 475 if (conf->prefer_server_ciphers) {
464 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 476 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
465 } 477 }
466 478
467 /* a temporary 512-bit RSA key is required for export versions of MSIE */ 479 /* a temporary 512-bit RSA key is required for export versions of MSIE */
468 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { 480 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
481
482 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
469 return NGX_CONF_ERROR; 483 return NGX_CONF_ERROR;
470 } 484 }
471 485
472 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { 486 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
473 return NGX_CONF_ERROR; 487 return NGX_CONF_ERROR;
474 } 488 }
475 489
476 ngx_conf_merge_value(conf->builtin_session_cache, 490 ngx_conf_merge_value(conf->builtin_session_cache,
477 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); 491 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);