Mercurial > hg > nginx-vendor-current

comparison src/http/modules/ngx_http_ssl_module.c @ 688:f31b19fe7f48 NGINX_1_3_7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.3.7 *) Feature: OCSP stapling support. Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work. *) Feature: the "ssl_trusted_certificate" directive. *) Feature: resolver now randomly rotates addresses returned from cache. Thanks to Anton Jouline. *) Bugfix: OpenSSL 0.9.7 compatibility.
author Igor Sysoev <http://sysoev.ru>
date Tue, 02 Oct 2012 00:00:00 +0400
parents d0f7a625f27c
children b5b7eea22fda
comparison
equal deleted inserted replaced
687:a7305f494f1c 688:f31b19fe7f48
30 30
31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
32 void *conf); 32 void *conf);
33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
34 void *conf); 34 void *conf);
35
36 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
35 37
36 38
37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { 39 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
122 ngx_conf_set_str_slot, 124 ngx_conf_set_str_slot,
123 NGX_HTTP_SRV_CONF_OFFSET, 125 NGX_HTTP_SRV_CONF_OFFSET,
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), 126 offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
125 NULL }, 127 NULL },
126 128
129 { ngx_string("ssl_trusted_certificate"),
130 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
131 ngx_conf_set_str_slot,
132 NGX_HTTP_SRV_CONF_OFFSET,
133 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
134 NULL },
135
127 { ngx_string("ssl_prefer_server_ciphers"), 136 { ngx_string("ssl_prefer_server_ciphers"),
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, 137 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
129 ngx_conf_set_flag_slot, 138 ngx_conf_set_flag_slot,
130 NGX_HTTP_SRV_CONF_OFFSET, 139 NGX_HTTP_SRV_CONF_OFFSET,
131 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), 140 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
150 ngx_conf_set_str_slot, 159 ngx_conf_set_str_slot,
151 NGX_HTTP_SRV_CONF_OFFSET, 160 NGX_HTTP_SRV_CONF_OFFSET,
152 offsetof(ngx_http_ssl_srv_conf_t, crl), 161 offsetof(ngx_http_ssl_srv_conf_t, crl),
153 NULL }, 162 NULL },
154 163
164 { ngx_string("ssl_stapling"),
165 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
166 ngx_conf_set_flag_slot,
167 NGX_HTTP_SRV_CONF_OFFSET,
168 offsetof(ngx_http_ssl_srv_conf_t, stapling),
169 NULL },
170
171 { ngx_string("ssl_stapling_file"),
172 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
173 ngx_conf_set_str_slot,
174 NGX_HTTP_SRV_CONF_OFFSET,
175 offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
176 NULL },
177
178 { ngx_string("ssl_stapling_responder"),
179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
180 ngx_conf_set_str_slot,
181 NGX_HTTP_SRV_CONF_OFFSET,
182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
183 NULL },
184
185 { ngx_string("ssl_stapling_verify"),
186 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
187 ngx_conf_set_flag_slot,
188 NGX_HTTP_SRV_CONF_OFFSET,
189 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
190 NULL },
191
155 ngx_null_command 192 ngx_null_command
156 }; 193 };
157 194
158 195
159 static ngx_http_module_t ngx_http_ssl_module_ctx = { 196 static ngx_http_module_t ngx_http_ssl_module_ctx = {
160 ngx_http_ssl_add_variables, /* preconfiguration */ 197 ngx_http_ssl_add_variables, /* preconfiguration */
161 NULL, /* postconfiguration */ 198 ngx_http_ssl_init, /* postconfiguration */
162 199
163 NULL, /* create main configuration */ 200 NULL, /* create main configuration */
164 NULL, /* init main configuration */ 201 NULL, /* init main configuration */
165 202
166 ngx_http_ssl_create_srv_conf, /* create server configuration */ 203 ngx_http_ssl_create_srv_conf, /* create server configuration */
323 * sscf->certificate = { 0, NULL }; 360 * sscf->certificate = { 0, NULL };
324 * sscf->certificate_key = { 0, NULL }; 361 * sscf->certificate_key = { 0, NULL };
325 * sscf->dhparam = { 0, NULL }; 362 * sscf->dhparam = { 0, NULL };
326 * sscf->ecdh_curve = { 0, NULL }; 363 * sscf->ecdh_curve = { 0, NULL };
327 * sscf->client_certificate = { 0, NULL }; 364 * sscf->client_certificate = { 0, NULL };
365 * sscf->trusted_certificate = { 0, NULL };
328 * sscf->crl = { 0, NULL }; 366 * sscf->crl = { 0, NULL };
329 * sscf->ciphers = { 0, NULL }; 367 * sscf->ciphers = { 0, NULL };
330 * sscf->shm_zone = NULL; 368 * sscf->shm_zone = NULL;
369 * sscf->stapling_file = { 0, NULL };
370 * sscf->stapling_responder = { 0, NULL };
331 */ 371 */
332 372
333 sscf->enable = NGX_CONF_UNSET; 373 sscf->enable = NGX_CONF_UNSET;
334 sscf->prefer_server_ciphers = NGX_CONF_UNSET; 374 sscf->prefer_server_ciphers = NGX_CONF_UNSET;
335 sscf->verify = NGX_CONF_UNSET_UINT; 375 sscf->verify = NGX_CONF_UNSET_UINT;
336 sscf->verify_depth = NGX_CONF_UNSET_UINT; 376 sscf->verify_depth = NGX_CONF_UNSET_UINT;
337 sscf->builtin_session_cache = NGX_CONF_UNSET; 377 sscf->builtin_session_cache = NGX_CONF_UNSET;
338 sscf->session_timeout = NGX_CONF_UNSET; 378 sscf->session_timeout = NGX_CONF_UNSET;
379 sscf->stapling = NGX_CONF_UNSET;
380 sscf->stapling_verify = NGX_CONF_UNSET;
339 381
340 return sscf; 382 return sscf;
341 } 383 }
342 384
343 385
378 420
379 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); 421 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
380 422
381 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, 423 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
382 ""); 424 "");
425 ngx_conf_merge_str_value(conf->trusted_certificate,
426 prev->trusted_certificate, "");
383 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); 427 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
384 428
385 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, 429 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
386 NGX_DEFAULT_ECDH_CURVE); 430 NGX_DEFAULT_ECDH_CURVE);
387 431
388 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 432 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
389 433
434 ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
435 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
436 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
437 ngx_conf_merge_str_value(conf->stapling_responder,
438 prev->stapling_responder, "");
390 439
391 conf->ssl.log = cf->log; 440 conf->ssl.log = cf->log;
392 441
393 if (conf->enable) { 442 if (conf->enable) {
394 443
477 conf->verify_depth) 526 conf->verify_depth)
478 != NGX_OK) 527 != NGX_OK)
479 { 528 {
480 return NGX_CONF_ERROR; 529 return NGX_CONF_ERROR;
481 } 530 }
482 531 }
483 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { 532
484 return NGX_CONF_ERROR; 533 if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
485 } 534 &conf->trusted_certificate,
535 conf->verify_depth)
536 != NGX_OK)
537 {
538 return NGX_CONF_ERROR;
539 }
540
541 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
542 return NGX_CONF_ERROR;
486 } 543 }
487 544
488 if (conf->prefer_server_ciphers) { 545 if (conf->prefer_server_ciphers) {
489 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 546 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
490 } 547 }
513 != NGX_OK) 570 != NGX_OK)
514 { 571 {
515 return NGX_CONF_ERROR; 572 return NGX_CONF_ERROR;
516 } 573 }
517 574
575 if (conf->stapling) {
576
577 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
578 &conf->stapling_responder, conf->stapling_verify)
579 != NGX_OK)
580 {
581 return NGX_CONF_ERROR;
582 }
583
584 }
585
518 return NGX_CONF_OK; 586 return NGX_CONF_OK;
519 } 587 }
520 588
521 589
522 static char * 590 static char *
648 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, 716 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
649 "invalid session cache \"%V\"", &value[i]); 717 "invalid session cache \"%V\"", &value[i]);
650 718
651 return NGX_CONF_ERROR; 719 return NGX_CONF_ERROR;
652 } 720 }
721
722
723 static ngx_int_t
724 ngx_http_ssl_init(ngx_conf_t *cf)
725 {
726 ngx_uint_t s;
727 ngx_http_ssl_srv_conf_t *sscf;
728 ngx_http_core_loc_conf_t *clcf;
729 ngx_http_core_srv_conf_t **cscfp;
730 ngx_http_core_main_conf_t *cmcf;
731
732 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
733 cscfp = cmcf->servers.elts;
734
735 for (s = 0; s < cmcf->servers.nelts; s++) {
736
737 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
738
739 if (!sscf->stapling) {
740 continue;
741 }
742
743 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
744
745 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
746 clcf->resolver_timeout)
747 != NGX_OK)
748 {
749 return NGX_ERROR;
750 }
751 }
752
753 return NGX_OK;
754 }