Mercurial > hg > nginx-vendor-current

diff src/http/modules/ngx_http_ssl_module.c @ 96:ca4f70b3ccc6 NGINX_0_2_2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.2.2 *) Feature: the "config errmsg" command of the ngx_http_ssi_module. *) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. *) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. *) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; *) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. *) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
author Igor Sysoev <http://sysoev.ru>
date Fri, 30 Sep 2005 00:00:00 +0400
parents 45945fa8b8ba
children 408f195b3482
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -8,9 +8,9 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
-
 #define NGX_DEFLAUT_CERTIFICATE      "cert.pem"
 #define NGX_DEFLAUT_CERTIFICATE_KEY  "cert.pem"
+#define NGX_DEFLAUT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 
 
 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
@@ -18,6 +18,14 @@ static char *ngx_http_ssl_merge_srv_conf
     void *parent, void *child);
 
 
+static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
+    { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
+    { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
+    { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+    { ngx_null_string, 0 }
+};
+
+
 static ngx_command_t  ngx_http_ssl_commands[] = {
 
     { ngx_string("ssl"),
@@ -41,13 +49,27 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
       NULL },
 
+    { ngx_string("ssl_protocols"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_bitmask_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, protocols),
+      &ngx_http_ssl_protocols },
+
     { ngx_string("ssl_ciphers"),
-      NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_str_slot,
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, ciphers),
       NULL },
 
+    { ngx_string("ssl_prefer_server_ciphers"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
+      NULL },
+
       ngx_null_command
 };
 
@@ -99,6 +121,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
     /*
      * set by ngx_pcalloc():
      *
+     *     scf->protocols = 0;
+
      *     scf->certificate.len = 0;
      *     scf->certificate.data = NULL;
      *     scf->certificate_key.len = 0;
@@ -108,6 +132,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
      */
 
     scf->enable = NGX_CONF_UNSET;
+    scf->prefer_server_ciphers = NGX_CONF_UNSET;
 
     return scf;
 }
@@ -125,101 +150,60 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         return NGX_CONF_OK;
     }
 
+    ngx_conf_merge_value(conf->prefer_server_ciphers,
+                         prev->prefer_server_ciphers, 0);
+
+    ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+                         (NGX_CONF_BITMASK_SET
+                          |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+
     ngx_conf_merge_str_value(conf->certificate, prev->certificate,
-                             NGX_DEFLAUT_CERTIFICATE);
+                         NGX_DEFLAUT_CERTIFICATE);
 
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
-                             NGX_DEFLAUT_CERTIFICATE_KEY);
+                         NGX_DEFLAUT_CERTIFICATE_KEY);
 
-    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, "");
+    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
 
 
-    /* TODO: configure methods */
+    conf->ssl.log = cf->log;
 
-    conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-
-    if (conf->ssl_ctx == NULL) {
-        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed");
+    if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
 
-    if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx)
-        == NULL)
+    if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL)
     {
         return NGX_CONF_ERROR;
     }
 
-
-    if (conf->ciphers.len) {
-        if (SSL_CTX_set_cipher_list(conf->ssl_ctx,
-                                   (const char *) conf->ciphers.data) == 0)
-        {
-            ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
-                          "SSL_CTX_set_cipher_list(\"%V\") failed",
-                          &conf->ciphers);
-        }
-    }
-
-    if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx,
-                                         (char *) conf->certificate.data) == 0)
+    if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data,
+                            conf->certificate_key.data) != NGX_OK)
     {
-        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
-                      "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
-                      conf->certificate.data);
         return NGX_CONF_ERROR;
     }
 
-    if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx,
-                                    (char *) conf->certificate_key.data,
-                                    SSL_FILETYPE_PEM) == 0)
+    if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
+                                (const char *) conf->ciphers.data) == 0)
     {
         ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
-                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed",
-                      conf->certificate_key.data);
+                      "SSL_CTX_set_cipher_list(\"%V\") failed",
+                      &conf->ciphers);
+    }
+
+    if (conf->prefer_server_ciphers) {
+        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+
+    /* a temporary 512-bit RSA key is required for export versions of MSIE */
+    if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
 
-    SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL);
-
-    SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+    SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER);
 
-    SSL_CTX_set_read_ahead(conf->ssl_ctx, 1);
-
-    SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER);
-
-    SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx,
+    SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx,
                                    sizeof(ngx_http_session_id_ctx) - 1);
 
     return NGX_CONF_OK;
 }
-
-
-#if 0
-
-/* how to enumrate server' configs */
-
-static ngx_int_t
-ngx_http_ssl_init_process(ngx_cycle_t *cycle)
-{
-    ngx_uint_t                   i;
-    ngx_http_ssl_srv_conf_t     *sscf;
-    ngx_http_core_srv_conf_t   **cscfp;
-    ngx_http_core_main_conf_t   *cmcf;
-
-    cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module);
-
-    cscfp = cmcf->servers.elts;
-
-    for (i = 0; i < cmcf->servers.nelts; i++) {
-        sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
-
-        if (sscf->enable) {
-            cscfp[i]->recv = ngx_ssl_recv;
-            cscfp[i]->send_chain = ngx_ssl_send_chain;
-        }
-    }
-
-    return NGX_OK;
-}
-
-#endif