Mercurial > hg > nginx-vendor-current
comparison src/http/modules/ngx_http_ssl_module.c @ 632:5b73504dd4ba NGINX_1_1_0
nginx 1.1.0
*) Feature: cache loader run time decrease.
*) Feature: "loader_files", "loader_sleep", and "loader_threshold"
options of the "proxy/fastcgi/scgi/uwsgi_cache_path" directives.
*) Feature: loading time decrease of configuration with large number of
HTTPS sites.
*) Feature: now nginx supports ECDHE key exchange ciphers.
Thanks to Adrian Kotelba.
*) Feature: the "lingering_close" directive.
Thanks to Maxim Dounin.
*) Bugfix: in closing connection for pipelined requests.
Thanks to Maxim Dounin.
*) Bugfix: nginx did not disable gzipping if client sent "gzip;q=0" in
"Accept-Encoding" request header line.
*) Bugfix: in timeout in unbuffered proxied mode.
Thanks to Maxim Dounin.
*) Bugfix: memory leaks when a "proxy_pass" directive contains
variables and proxies to an HTTPS backend.
Thanks to Maxim Dounin.
*) Bugfix: in parameter validaiton of a "proxy_pass" directive with
variables.
Thanks to Lanshun Zhou.
*) Bugfix: SSL did not work on QNX.
Thanks to Maxim Dounin.
*) Bugfix: SSL modules could not be built by gcc 4.6 without
--with-debug option.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Mon, 01 Aug 2011 00:00:00 +0400 |
parents | ad6fee8052d7 |
children | 23ef0645ea57 |
comparison
equal
deleted
inserted
replaced
631:9b978fa3cd33 | 632:5b73504dd4ba |
---|---|
11 | 11 |
12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, | 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
13 ngx_pool_t *pool, ngx_str_t *s); | 13 ngx_pool_t *pool, ngx_str_t *s); |
14 | 14 |
15 | 15 |
16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
17 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
17 | 18 |
18 | 19 |
19 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 20 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
20 ngx_http_variable_value_t *v, uintptr_t data); | 21 ngx_http_variable_value_t *v, uintptr_t data); |
21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 22 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
74 { ngx_string("ssl_dhparam"), | 75 { ngx_string("ssl_dhparam"), |
75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 76 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
76 ngx_conf_set_str_slot, | 77 ngx_conf_set_str_slot, |
77 NGX_HTTP_SRV_CONF_OFFSET, | 78 NGX_HTTP_SRV_CONF_OFFSET, |
78 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | 79 offsetof(ngx_http_ssl_srv_conf_t, dhparam), |
80 NULL }, | |
81 | |
82 { ngx_string("ssl_ecdh_curve"), | |
83 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
84 ngx_conf_set_str_slot, | |
85 NGX_HTTP_SRV_CONF_OFFSET, | |
86 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
79 NULL }, | 87 NULL }, |
80 | 88 |
81 { ngx_string("ssl_protocols"), | 89 { ngx_string("ssl_protocols"), |
82 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | 90 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
83 ngx_conf_set_bitmask_slot, | 91 ngx_conf_set_bitmask_slot, |
310 * | 318 * |
311 * sscf->protocols = 0; | 319 * sscf->protocols = 0; |
312 * sscf->certificate = { 0, NULL }; | 320 * sscf->certificate = { 0, NULL }; |
313 * sscf->certificate_key = { 0, NULL }; | 321 * sscf->certificate_key = { 0, NULL }; |
314 * sscf->dhparam = { 0, NULL }; | 322 * sscf->dhparam = { 0, NULL }; |
323 * sscf->ecdh_curve = { 0, NULL }; | |
315 * sscf->client_certificate = { 0, NULL }; | 324 * sscf->client_certificate = { 0, NULL }; |
316 * sscf->crl = { 0, NULL }; | 325 * sscf->crl = { 0, NULL }; |
317 * sscf->ciphers = { 0, NULL }; | 326 * sscf->ciphers = { 0, NULL }; |
318 * sscf->shm_zone = NULL; | 327 * sscf->shm_zone = NULL; |
319 */ | 328 */ |
357 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 366 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
358 | 367 |
359 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 368 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
360 ""); | 369 ""); |
361 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | 370 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
371 | |
372 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | |
373 NGX_DEFAULT_ECDH_CURVE); | |
362 | 374 |
363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 375 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
364 | 376 |
365 | 377 |
366 conf->ssl.log = cf->log; | 378 conf->ssl.log = cf->log; |
463 if (conf->prefer_server_ciphers) { | 475 if (conf->prefer_server_ciphers) { |
464 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 476 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
465 } | 477 } |
466 | 478 |
467 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | 479 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
468 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 480 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
481 | |
482 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | |
469 return NGX_CONF_ERROR; | 483 return NGX_CONF_ERROR; |
470 } | 484 } |
471 | 485 |
472 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 486 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
473 return NGX_CONF_ERROR; | 487 return NGX_CONF_ERROR; |
474 } | 488 } |
475 | 489 |
476 ngx_conf_merge_value(conf->builtin_session_cache, | 490 ngx_conf_merge_value(conf->builtin_session_cache, |
477 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | 491 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |