Mercurial > hg > nginx-vendor-current
comparison src/http/modules/ngx_http_ssl_module.c @ 688:f31b19fe7f48 NGINX_1_3_7
nginx 1.3.7
*) Feature: OCSP stapling support.
Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work.
*) Feature: the "ssl_trusted_certificate" directive.
*) Feature: resolver now randomly rotates addresses returned from cache.
Thanks to Anton Jouline.
*) Bugfix: OpenSSL 0.9.7 compatibility.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Tue, 02 Oct 2012 00:00:00 +0400 |
parents | d0f7a625f27c |
children | b5b7eea22fda |
comparison
equal
deleted
inserted
replaced
687:a7305f494f1c | 688:f31b19fe7f48 |
---|---|
30 | 30 |
31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | 32 void *conf); |
33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | 34 void *conf); |
35 | |
36 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | |
35 | 37 |
36 | 38 |
37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 39 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
122 ngx_conf_set_str_slot, | 124 ngx_conf_set_str_slot, |
123 NGX_HTTP_SRV_CONF_OFFSET, | 125 NGX_HTTP_SRV_CONF_OFFSET, |
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | 126 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), |
125 NULL }, | 127 NULL }, |
126 | 128 |
129 { ngx_string("ssl_trusted_certificate"), | |
130 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
131 ngx_conf_set_str_slot, | |
132 NGX_HTTP_SRV_CONF_OFFSET, | |
133 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), | |
134 NULL }, | |
135 | |
127 { ngx_string("ssl_prefer_server_ciphers"), | 136 { ngx_string("ssl_prefer_server_ciphers"), |
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 137 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
129 ngx_conf_set_flag_slot, | 138 ngx_conf_set_flag_slot, |
130 NGX_HTTP_SRV_CONF_OFFSET, | 139 NGX_HTTP_SRV_CONF_OFFSET, |
131 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | 140 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), |
150 ngx_conf_set_str_slot, | 159 ngx_conf_set_str_slot, |
151 NGX_HTTP_SRV_CONF_OFFSET, | 160 NGX_HTTP_SRV_CONF_OFFSET, |
152 offsetof(ngx_http_ssl_srv_conf_t, crl), | 161 offsetof(ngx_http_ssl_srv_conf_t, crl), |
153 NULL }, | 162 NULL }, |
154 | 163 |
164 { ngx_string("ssl_stapling"), | |
165 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
166 ngx_conf_set_flag_slot, | |
167 NGX_HTTP_SRV_CONF_OFFSET, | |
168 offsetof(ngx_http_ssl_srv_conf_t, stapling), | |
169 NULL }, | |
170 | |
171 { ngx_string("ssl_stapling_file"), | |
172 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
173 ngx_conf_set_str_slot, | |
174 NGX_HTTP_SRV_CONF_OFFSET, | |
175 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), | |
176 NULL }, | |
177 | |
178 { ngx_string("ssl_stapling_responder"), | |
179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
180 ngx_conf_set_str_slot, | |
181 NGX_HTTP_SRV_CONF_OFFSET, | |
182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), | |
183 NULL }, | |
184 | |
185 { ngx_string("ssl_stapling_verify"), | |
186 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
187 ngx_conf_set_flag_slot, | |
188 NGX_HTTP_SRV_CONF_OFFSET, | |
189 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), | |
190 NULL }, | |
191 | |
155 ngx_null_command | 192 ngx_null_command |
156 }; | 193 }; |
157 | 194 |
158 | 195 |
159 static ngx_http_module_t ngx_http_ssl_module_ctx = { | 196 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
160 ngx_http_ssl_add_variables, /* preconfiguration */ | 197 ngx_http_ssl_add_variables, /* preconfiguration */ |
161 NULL, /* postconfiguration */ | 198 ngx_http_ssl_init, /* postconfiguration */ |
162 | 199 |
163 NULL, /* create main configuration */ | 200 NULL, /* create main configuration */ |
164 NULL, /* init main configuration */ | 201 NULL, /* init main configuration */ |
165 | 202 |
166 ngx_http_ssl_create_srv_conf, /* create server configuration */ | 203 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
323 * sscf->certificate = { 0, NULL }; | 360 * sscf->certificate = { 0, NULL }; |
324 * sscf->certificate_key = { 0, NULL }; | 361 * sscf->certificate_key = { 0, NULL }; |
325 * sscf->dhparam = { 0, NULL }; | 362 * sscf->dhparam = { 0, NULL }; |
326 * sscf->ecdh_curve = { 0, NULL }; | 363 * sscf->ecdh_curve = { 0, NULL }; |
327 * sscf->client_certificate = { 0, NULL }; | 364 * sscf->client_certificate = { 0, NULL }; |
365 * sscf->trusted_certificate = { 0, NULL }; | |
328 * sscf->crl = { 0, NULL }; | 366 * sscf->crl = { 0, NULL }; |
329 * sscf->ciphers = { 0, NULL }; | 367 * sscf->ciphers = { 0, NULL }; |
330 * sscf->shm_zone = NULL; | 368 * sscf->shm_zone = NULL; |
369 * sscf->stapling_file = { 0, NULL }; | |
370 * sscf->stapling_responder = { 0, NULL }; | |
331 */ | 371 */ |
332 | 372 |
333 sscf->enable = NGX_CONF_UNSET; | 373 sscf->enable = NGX_CONF_UNSET; |
334 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 374 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
335 sscf->verify = NGX_CONF_UNSET_UINT; | 375 sscf->verify = NGX_CONF_UNSET_UINT; |
336 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 376 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
337 sscf->builtin_session_cache = NGX_CONF_UNSET; | 377 sscf->builtin_session_cache = NGX_CONF_UNSET; |
338 sscf->session_timeout = NGX_CONF_UNSET; | 378 sscf->session_timeout = NGX_CONF_UNSET; |
379 sscf->stapling = NGX_CONF_UNSET; | |
380 sscf->stapling_verify = NGX_CONF_UNSET; | |
339 | 381 |
340 return sscf; | 382 return sscf; |
341 } | 383 } |
342 | 384 |
343 | 385 |
378 | 420 |
379 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 421 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
380 | 422 |
381 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 423 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
382 ""); | 424 ""); |
425 ngx_conf_merge_str_value(conf->trusted_certificate, | |
426 prev->trusted_certificate, ""); | |
383 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | 427 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
384 | 428 |
385 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 429 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
386 NGX_DEFAULT_ECDH_CURVE); | 430 NGX_DEFAULT_ECDH_CURVE); |
387 | 431 |
388 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 432 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
389 | 433 |
434 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | |
435 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | |
436 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | |
437 ngx_conf_merge_str_value(conf->stapling_responder, | |
438 prev->stapling_responder, ""); | |
390 | 439 |
391 conf->ssl.log = cf->log; | 440 conf->ssl.log = cf->log; |
392 | 441 |
393 if (conf->enable) { | 442 if (conf->enable) { |
394 | 443 |
477 conf->verify_depth) | 526 conf->verify_depth) |
478 != NGX_OK) | 527 != NGX_OK) |
479 { | 528 { |
480 return NGX_CONF_ERROR; | 529 return NGX_CONF_ERROR; |
481 } | 530 } |
482 | 531 } |
483 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | 532 |
484 return NGX_CONF_ERROR; | 533 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
485 } | 534 &conf->trusted_certificate, |
535 conf->verify_depth) | |
536 != NGX_OK) | |
537 { | |
538 return NGX_CONF_ERROR; | |
539 } | |
540 | |
541 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | |
542 return NGX_CONF_ERROR; | |
486 } | 543 } |
487 | 544 |
488 if (conf->prefer_server_ciphers) { | 545 if (conf->prefer_server_ciphers) { |
489 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 546 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
490 } | 547 } |
513 != NGX_OK) | 570 != NGX_OK) |
514 { | 571 { |
515 return NGX_CONF_ERROR; | 572 return NGX_CONF_ERROR; |
516 } | 573 } |
517 | 574 |
575 if (conf->stapling) { | |
576 | |
577 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, | |
578 &conf->stapling_responder, conf->stapling_verify) | |
579 != NGX_OK) | |
580 { | |
581 return NGX_CONF_ERROR; | |
582 } | |
583 | |
584 } | |
585 | |
518 return NGX_CONF_OK; | 586 return NGX_CONF_OK; |
519 } | 587 } |
520 | 588 |
521 | 589 |
522 static char * | 590 static char * |
648 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 716 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
649 "invalid session cache \"%V\"", &value[i]); | 717 "invalid session cache \"%V\"", &value[i]); |
650 | 718 |
651 return NGX_CONF_ERROR; | 719 return NGX_CONF_ERROR; |
652 } | 720 } |
721 | |
722 | |
723 static ngx_int_t | |
724 ngx_http_ssl_init(ngx_conf_t *cf) | |
725 { | |
726 ngx_uint_t s; | |
727 ngx_http_ssl_srv_conf_t *sscf; | |
728 ngx_http_core_loc_conf_t *clcf; | |
729 ngx_http_core_srv_conf_t **cscfp; | |
730 ngx_http_core_main_conf_t *cmcf; | |
731 | |
732 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); | |
733 cscfp = cmcf->servers.elts; | |
734 | |
735 for (s = 0; s < cmcf->servers.nelts; s++) { | |
736 | |
737 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
738 | |
739 if (!sscf->stapling) { | |
740 continue; | |
741 } | |
742 | |
743 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; | |
744 | |
745 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | |
746 clcf->resolver_timeout) | |
747 != NGX_OK) | |
748 { | |
749 return NGX_ERROR; | |
750 } | |
751 } | |
752 | |
753 return NGX_OK; | |
754 } |