Mercurial > hg > nginx-vendor-current

diff src/event/ngx_event_openssl.c @ 112:408f195b3482 NGINX_0_3_3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.3.3 *) Change: the "bl" and "af" parameters of the "listen" directive was renamed to the "backlog" and "accept_filter". *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen" directive. *) Change: the "$msec" log parameter does not require now the additional the gettimeofday() system call. *) Feature: the -t switch now tests the "listen" directives. *) Bugfix: if the invalid address was specified in the "listen" directive, then after the -HUP signal nginx left an open socket in the CLOSED state. *) Bugfix: the mime type may be incorrectly set to default value for index file with variable in the name; bug appeared in 0.3.0. *) Feature: the "timer_resolution" directive. *) Feature: the millisecond "$upstream_response_time" log parameter. *) Bugfix: a temporary file with client request body now is removed just after the response header was transferred to a client. *) Bugfix: OpenSSL 0.9.6 compatibility. *) Bugfix: the SSL certificate and key file paths could not be relative. *) Bugfix: the "ssl_prefer_server_ciphers" directive did not work in the ngx_imap_ssl_module. *) Bugfix: the "ssl_protocols" directive allowed to specify the single protocol only.
author Igor Sysoev <http://sysoev.ru>
date Wed, 19 Oct 2005 00:00:00 +0400
parents cf3d6edb3ad6
children e85dca77c46a
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -105,7 +105,27 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
         return NGX_ERROR;
     }
 
-    SSL_CTX_set_options(ssl->ctx, SSL_OP_ALL);
+    /*
+     * these options are needed on client side only:
+     *    SSL_OP_MICROSOFT_SESS_ID_BUG
+     *    SSL_OP_NETSCAPE_CHALLENGE_BUG
+     *    SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     */
+
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
+
+    /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
+
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
+
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+#endif
+
 
     if (ngx_ssl_protocols[protocols >> 1] != 0) {
         SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
@@ -120,20 +140,31 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
 
 
 ngx_int_t
-ngx_ssl_certificate(ngx_ssl_t *ssl, u_char *cert, u_char *key)
+ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
+    ngx_str_t *key)
 {
-    if (SSL_CTX_use_certificate_chain_file(ssl->ctx, (char *) cert) == 0) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
-                      cert);
+    if (ngx_conf_full_name(cf->cycle, cert) == NGX_ERROR) {
         return NGX_ERROR;
     }
 
-    if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key, SSL_FILETYPE_PEM)
+    if (SSL_CTX_use_certificate_chain_file(ssl->ctx, (char *) cert->data)
         == 0)
     {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key);
+                      "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
+                      cert->data);
+        return NGX_ERROR;
+    }
+
+    if (ngx_conf_full_name(cf->cycle, key) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
+                                    SSL_FILETYPE_PEM) == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
         return NGX_ERROR;
     }
 
@@ -402,13 +433,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c,
                 return NGX_ERROR;
             }
 
-            if (ngx_mutex_lock(ngx_posted_events_mutex) == NGX_ERROR) {
-                return NGX_ERROR;
-            }
-
-            ngx_post_event(c->write);
-
-            ngx_mutex_unlock(ngx_posted_events_mutex);
+            ngx_post_event(c->write, &ngx_posted_events);
         }
 
         return NGX_OK;
@@ -632,13 +657,7 @@ ngx_ssl_write(ngx_connection_t *c, u_cha
                 return NGX_ERROR;
             }
 
-            if (ngx_mutex_lock(ngx_posted_events_mutex) == NGX_ERROR) {
-                return NGX_ERROR;
-            }
-
-            ngx_post_event(c->read);
-
-            ngx_mutex_unlock(ngx_posted_events_mutex);
+            ngx_post_event(c->read, &ngx_posted_events);
         }
 
         return n;
@@ -925,8 +944,8 @@ static char *
 ngx_openssl_noengine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-                       "\"ssl_engine\" is not supported: " NGX_SSL_NAME
-                       " library does not support crypto accelerators");
+                       "\"ssl_engine\" directive is available only in "
+                       "OpenSSL 0.9.7 and higher,");
 
     return NGX_CONF_ERROR;
 }