Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 9119:08ef02ad5c54
HTTP/2: "http2" directive.
The directive enables HTTP/2 in the current server. The previous way to
enable HTTP/2 via "listen ... http2" is now deprecated. The new approach
allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.
For SSL connections, HTTP/2 is now selected by ALPN callback based on whether
the protocol is enabled in the virtual server chosen by SNI. This however only
works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback.
For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual
server configuration.
For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if
HTTP/2 is enabled in the default virtual server. If preface is not matched,
HTTP/0.9-1.1 is assumed.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 16 May 2023 16:30:08 +0400 |
parents | 69bae2437d74 |
children | 0aaa09927703 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
12 #if (NGX_QUIC_OPENSSL_COMPAT) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
13 #include <ngx_event_quic_openssl_compat.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
14 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
15 |
573 | 16 |
671 | 17 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
18 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 19 |
20 | |
3960 | 21 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
22 #define NGX_DEFAULT_ECDH_CURVE "auto" |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
23 |
7937
db6b630e6086
HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
24 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9" |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
25 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
26 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
27 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
28 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
29 const unsigned char **out, unsigned char *outlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
30 const unsigned char *in, unsigned int inlen, void *arg); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
31 #endif |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
32 |
671 | 33 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 34 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 35 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 36 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 37 |
38 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
39 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
40 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 41 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
42 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
43 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
44 ngx_http_ssl_srv_conf_t *conf); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
45 |
2224 | 46 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
47 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
48 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
49 void *conf); |
973 | 50 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
51 void *conf); | |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
52 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
53 void *conf); |
973 | 54 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
55 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
56 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
57 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
58 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
59 #if (NGX_QUIC_OPENSSL_COMPAT) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
60 static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
61 ngx_http_conf_addr_t *addr); |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
62 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
63 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 |
547 | 65 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
66 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
67 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
68 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
69 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
70 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6817
diff
changeset
|
71 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 72 { ngx_null_string, 0 } |
73 }; | |
74 | |
75 | |
2123 | 76 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
77 { ngx_string("off"), 0 }, | |
78 { ngx_string("on"), 1 }, | |
2994 | 79 { ngx_string("optional"), 2 }, |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
80 { ngx_string("optional_no_ca"), 3 }, |
2123 | 81 { ngx_null_string, 0 } |
82 }; | |
83 | |
84 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
85 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
86 { ngx_string("off"), 0 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
87 { ngx_string("on"), 1 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
88 { ngx_string("leaf"), 2 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
89 { ngx_null_string, 0 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
90 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
91 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
92 |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
93 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
94 ngx_conf_deprecated, "ssl", "listen ... ssl" |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
95 }; |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
96 |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
97 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
98 static ngx_conf_post_t ngx_http_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
99 { ngx_http_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
100 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
101 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
102 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
103 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
104 { ngx_string("ssl"), |
599 | 105 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 106 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
107 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
108 offsetof(ngx_http_ssl_srv_conf_t, enable), |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
109 &ngx_http_ssl_deprecated }, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
110 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
111 { ngx_string("ssl_certificate"), |
599 | 112 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
113 ngx_conf_set_str_array_slot, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
114 NGX_HTTP_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
115 offsetof(ngx_http_ssl_srv_conf_t, certificates), |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
116 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
117 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
118 { ngx_string("ssl_certificate_key"), |
599 | 119 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
120 ngx_conf_set_str_array_slot, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
121 NGX_HTTP_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
122 offsetof(ngx_http_ssl_srv_conf_t, certificate_keys), |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
123 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
124 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
125 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
126 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
127 ngx_http_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
128 NGX_HTTP_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
129 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
130 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
131 |
2044 | 132 { ngx_string("ssl_dhparam"), |
133 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
134 ngx_conf_set_str_slot, | |
135 NGX_HTTP_SRV_CONF_OFFSET, | |
136 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
137 NULL }, | |
138 | |
3960 | 139 { ngx_string("ssl_ecdh_curve"), |
140 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
141 ngx_conf_set_str_slot, | |
142 NGX_HTTP_SRV_CONF_OFFSET, | |
143 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
144 NULL }, | |
145 | |
547 | 146 { ngx_string("ssl_protocols"), |
563 | 147 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 148 ngx_conf_set_bitmask_slot, |
149 NGX_HTTP_SRV_CONF_OFFSET, | |
150 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
151 &ngx_http_ssl_protocols }, | |
152 | |
479 | 153 { ngx_string("ssl_ciphers"), |
563 | 154 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 155 ngx_conf_set_str_slot, |
156 NGX_HTTP_SRV_CONF_OFFSET, | |
157 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
158 NULL }, | |
159 | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
160 { ngx_string("ssl_buffer_size"), |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
161 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
162 ngx_conf_set_size_slot, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
163 NGX_HTTP_SRV_CONF_OFFSET, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
164 offsetof(ngx_http_ssl_srv_conf_t, buffer_size), |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
165 NULL }, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
166 |
647 | 167 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
168 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 169 ngx_conf_set_enum_slot, |
647 | 170 NGX_HTTP_SRV_CONF_OFFSET, |
171 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 172 &ngx_http_ssl_verify }, |
647 | 173 |
174 { ngx_string("ssl_verify_depth"), | |
5504
8ed467553f6b
SSL: fixed ssl_verify_depth to take only one argument.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5503
diff
changeset
|
175 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
647 | 176 ngx_conf_set_num_slot, |
177 NGX_HTTP_SRV_CONF_OFFSET, | |
178 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
179 NULL }, | |
180 | |
181 { ngx_string("ssl_client_certificate"), | |
182 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
183 ngx_conf_set_str_slot, | |
184 NGX_HTTP_SRV_CONF_OFFSET, | |
185 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
186 NULL }, | |
187 | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
188 { ngx_string("ssl_trusted_certificate"), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
189 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
190 ngx_conf_set_str_slot, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
191 NGX_HTTP_SRV_CONF_OFFSET, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
192 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
193 NULL }, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
194 |
547 | 195 { ngx_string("ssl_prefer_server_ciphers"), |
196 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
197 ngx_conf_set_flag_slot, | |
198 NGX_HTTP_SRV_CONF_OFFSET, | |
199 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
200 NULL }, | |
201 | |
973 | 202 { ngx_string("ssl_session_cache"), |
203 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
204 ngx_http_ssl_session_cache, | |
205 NGX_HTTP_SRV_CONF_OFFSET, | |
206 0, | |
207 NULL }, | |
208 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
209 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
210 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
211 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
212 NGX_HTTP_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
213 offsetof(ngx_http_ssl_srv_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
214 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
215 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
216 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
217 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
218 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
219 NGX_HTTP_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
220 offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
221 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
222 |
573 | 223 { ngx_string("ssl_session_timeout"), |
224 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
225 ngx_conf_set_sec_slot, | |
226 NGX_HTTP_SRV_CONF_OFFSET, | |
227 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
228 NULL }, | |
229 | |
2995 | 230 { ngx_string("ssl_crl"), |
231 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
232 ngx_conf_set_str_slot, | |
233 NGX_HTTP_SRV_CONF_OFFSET, | |
234 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
235 NULL }, | |
236 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
237 { ngx_string("ssl_ocsp"), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
238 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
239 ngx_conf_set_enum_slot, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
240 NGX_HTTP_SRV_CONF_OFFSET, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
241 offsetof(ngx_http_ssl_srv_conf_t, ocsp), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
242 &ngx_http_ssl_ocsp }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
243 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
244 { ngx_string("ssl_ocsp_responder"), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
245 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
246 ngx_conf_set_str_slot, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
247 NGX_HTTP_SRV_CONF_OFFSET, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
248 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
249 NULL }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
250 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
251 { ngx_string("ssl_ocsp_cache"), |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
252 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
253 ngx_http_ssl_ocsp_cache, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
254 NGX_HTTP_SRV_CONF_OFFSET, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
255 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
256 NULL }, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
257 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
258 { ngx_string("ssl_stapling"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
259 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
260 ngx_conf_set_flag_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
261 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
262 offsetof(ngx_http_ssl_srv_conf_t, stapling), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
263 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
264 |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
265 { ngx_string("ssl_stapling_file"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
266 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
267 ngx_conf_set_str_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
268 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
269 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
270 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
271 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
272 { ngx_string("ssl_stapling_responder"), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
273 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
274 ngx_conf_set_str_slot, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
275 NGX_HTTP_SRV_CONF_OFFSET, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
276 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
277 NULL }, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
278 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
279 { ngx_string("ssl_stapling_verify"), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
280 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
281 ngx_conf_set_flag_slot, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
282 NGX_HTTP_SRV_CONF_OFFSET, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
283 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
284 NULL }, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
285 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
286 { ngx_string("ssl_early_data"), |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
287 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
288 ngx_conf_set_flag_slot, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
289 NGX_HTTP_SRV_CONF_OFFSET, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
290 offsetof(ngx_http_ssl_srv_conf_t, early_data), |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
291 NULL }, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
292 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
293 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
294 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
295 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
296 NGX_HTTP_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
297 offsetof(ngx_http_ssl_srv_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
298 &ngx_http_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
299 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
300 { ngx_string("ssl_reject_handshake"), |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
301 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
302 ngx_conf_set_flag_slot, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
303 NGX_HTTP_SRV_CONF_OFFSET, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
304 offsetof(ngx_http_ssl_srv_conf_t, reject_handshake), |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
305 NULL }, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
306 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
307 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
308 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
309 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
310 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
311 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 312 ngx_http_ssl_add_variables, /* preconfiguration */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
313 ngx_http_ssl_init, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
314 |
541 | 315 NULL, /* create main configuration */ |
316 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
317 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
318 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
319 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
320 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
321 NULL, /* create location configuration */ |
485 | 322 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
323 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
324 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
325 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
326 ngx_module_t ngx_http_ssl_module = { |
509 | 327 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
328 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
329 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
330 NGX_HTTP_MODULE, /* module type */ |
541 | 331 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
332 NULL, /* init module */ |
541 | 333 NULL, /* init process */ |
334 NULL, /* init thread */ | |
335 NULL, /* exit thread */ | |
336 NULL, /* exit process */ | |
337 NULL, /* exit master */ | |
338 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
339 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
340 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
341 |
611 | 342 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
343 | |
671 | 344 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 345 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 346 |
671 | 347 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 348 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 349 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
350 { ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
351 (uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
352 |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
353 { ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
354 (uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
355 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
356 { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
357 (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
358 |
3154 | 359 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
360 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
361 | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
362 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
363 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
364 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
365 { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
366 (uintptr_t) ngx_ssl_get_early_data, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
367 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
368 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
369 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
370 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
371 |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
372 { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
373 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
374 |
2045 | 375 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
376 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
377 | |
2123 | 378 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
379 (uintptr_t) ngx_ssl_get_raw_certificate, | |
380 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
381 | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
382 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
383 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
384 NGX_HTTP_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
385 |
671 | 386 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 387 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 388 |
671 | 389 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 390 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 391 |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
392 { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
393 (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
394 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
395 { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
396 (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
397 |
671 | 398 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, |
1565 | 399 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 400 |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
401 { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
402 (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
403 |
2994 | 404 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
405 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
406 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
407 { ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
408 (uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
409 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
410 { ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
411 (uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
412 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
413 { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
414 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
415 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
6981
diff
changeset
|
416 ngx_http_null_variable |
611 | 417 }; |
418 | |
419 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
420 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 421 |
422 | |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
423 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
424 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
425 static int |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
426 ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
427 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
428 void *arg) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
429 { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
430 unsigned int srvlen; |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
431 unsigned char *srv; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
432 #if (NGX_DEBUG) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
433 unsigned int i; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
434 #endif |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
435 #if (NGX_HTTP_V2 || NGX_HTTP_V3) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
436 ngx_http_connection_t *hc; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
437 #endif |
9119
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
438 #if (NGX_HTTP_V2) |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
439 ngx_http_v2_srv_conf_t *h2scf; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
440 #endif |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
441 #if (NGX_HTTP_V3) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
442 ngx_http_v3_srv_conf_t *h3scf; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
443 #endif |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
444 #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
445 ngx_connection_t *c; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
446 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
447 c = ngx_ssl_get_connection(ssl_conn); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
448 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
449 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
450 #if (NGX_DEBUG) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
451 for (i = 0; i < inlen; i += in[i] + 1) { |
6474 | 452 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
6478
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
453 "SSL ALPN supported by client: %*s", |
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
454 (size_t) in[i], &in[i + 1]); |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
455 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
456 #endif |
5106
afee87b8190a
SSL: Next Protocol Negotiation extension support.
Valentin Bartenev <vbart@nginx.com>
parents:
5077
diff
changeset
|
457 |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
458 #if (NGX_HTTP_V2 || NGX_HTTP_V3) |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
459 hc = c->data; |
8269
c9c3a73df6e8
Support for HTTP/3 ALPN.
Roman Arutyunyan <arut@nginx.com>
parents:
8232
diff
changeset
|
460 #endif |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
461 |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
462 #if (NGX_HTTP_V3) |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
463 if (hc->addr_conf->quic) { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
464 |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
465 h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module); |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
466 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
467 if (h3scf->enable && h3scf->enable_hq) { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
468 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
469 NGX_HTTP_V3_HQ_ALPN_PROTO; |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
470 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO) |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
471 - 1; |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
472 |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
473 } else if (h3scf->enable_hq) { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
474 srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
475 srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
476 |
9104
69bae2437d74
HTTP/3: removed "http3" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9085
diff
changeset
|
477 } else if (h3scf->enable) { |
8918
606bf52888d2
HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8889
diff
changeset
|
478 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; |
606bf52888d2
HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8889
diff
changeset
|
479 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
480 |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
481 } else { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
482 return SSL_TLSEXT_ERR_ALERT_FATAL; |
8626
e0947c952d43
QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8618
diff
changeset
|
483 } |
e0947c952d43
QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8618
diff
changeset
|
484 |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
485 } else |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
486 #endif |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
487 { |
9119
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
488 #if (NGX_HTTP_V2) |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
489 h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
490 |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
491 if (h2scf->enable || hc->addr_conf->http2) { |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
492 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
493 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
494 |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
495 } else |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
496 #endif |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
497 { |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
498 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
499 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
500 } |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
501 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
502 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
503 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
504 in, inlen) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
505 != OPENSSL_NPN_NEGOTIATED) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
506 { |
7937
db6b630e6086
HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
507 return SSL_TLSEXT_ERR_ALERT_FATAL; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
508 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
509 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
510 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
6478
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
511 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
512 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
513 return SSL_TLSEXT_ERR_OK; |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
514 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
515 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
516 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
517 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
518 |
973 | 519 static ngx_int_t |
671 | 520 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 521 ngx_http_variable_value_t *v, uintptr_t data) |
522 { | |
671 | 523 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 524 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
525 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
526 ngx_str_t s; |
611 | 527 |
528 if (r->connection->ssl) { | |
529 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
530 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
531 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
532 v->data = s.data; |
611 | 533 |
671 | 534 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 535 |
536 v->len = len; | |
537 v->valid = 1; | |
1565 | 538 v->no_cacheable = 0; |
611 | 539 v->not_found = 0; |
540 | |
541 return NGX_OK; | |
542 } | |
543 | |
544 v->not_found = 1; | |
545 | |
546 return NGX_OK; | |
547 } | |
548 | |
549 | |
550 static ngx_int_t | |
671 | 551 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 552 uintptr_t data) |
553 { | |
671 | 554 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 555 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
556 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
557 |
647 | 558 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
559 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
560 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 561 return NGX_ERROR; |
562 } | |
563 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
564 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
565 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
566 |
647 | 567 if (v->len) { |
568 v->valid = 1; | |
1565 | 569 v->no_cacheable = 0; |
647 | 570 v->not_found = 0; |
571 | |
572 return NGX_OK; | |
573 } | |
574 } | |
575 | |
576 v->not_found = 1; | |
577 | |
578 return NGX_OK; | |
579 } | |
580 | |
581 | |
582 static ngx_int_t | |
611 | 583 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
584 { | |
585 ngx_http_variable_t *var, *v; | |
586 | |
587 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
588 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
589 if (var == NULL) { | |
590 return NGX_ERROR; | |
591 } | |
592 | |
637 | 593 var->get_handler = v->get_handler; |
611 | 594 var->data = v->data; |
595 } | |
596 | |
597 return NGX_OK; | |
598 } | |
599 | |
600 | |
501 | 601 static void * |
602 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
603 { |
971 | 604 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
605 |
971 | 606 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
607 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
608 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
609 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
610 |
479 | 611 /* |
612 * set by ngx_pcalloc(): | |
613 * | |
971 | 614 * sscf->protocols = 0; |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
615 * sscf->certificate_values = NULL; |
2044 | 616 * sscf->dhparam = { 0, NULL }; |
3960 | 617 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 618 * sscf->client_certificate = { 0, NULL }; |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
619 * sscf->trusted_certificate = { 0, NULL }; |
2995 | 620 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
621 * sscf->ciphers = { 0, NULL }; |
973 | 622 * sscf->shm_zone = NULL; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
623 * sscf->ocsp_responder = { 0, NULL }; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
624 * sscf->stapling_file = { 0, NULL }; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
625 * sscf->stapling_responder = { 0, NULL }; |
479 | 626 */ |
627 | |
971 | 628 sscf->enable = NGX_CONF_UNSET; |
2123 | 629 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
630 sscf->early_data = NGX_CONF_UNSET; |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
631 sscf->reject_handshake = NGX_CONF_UNSET; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
632 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
2710 | 633 sscf->verify = NGX_CONF_UNSET_UINT; |
634 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
635 sscf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
636 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
637 sscf->passwords = NGX_CONF_UNSET_PTR; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
638 sscf->conf_commands = NGX_CONF_UNSET_PTR; |
973 | 639 sscf->builtin_session_cache = NGX_CONF_UNSET; |
640 sscf->session_timeout = NGX_CONF_UNSET; | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
641 sscf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
642 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
643 sscf->ocsp = NGX_CONF_UNSET_UINT; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
644 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
645 sscf->stapling = NGX_CONF_UNSET; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
646 sscf->stapling_verify = NGX_CONF_UNSET; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
647 |
971 | 648 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
649 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
650 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
651 |
501 | 652 static char * |
653 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
654 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
655 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
656 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
657 |
563 | 658 ngx_pool_cleanup_t *cln; |
659 | |
4234
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
660 if (conf->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
661 if (prev->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
662 conf->enable = 0; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
663 |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
664 } else { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
665 conf->enable = prev->enable; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
666 conf->file = prev->file; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
667 conf->line = prev->line; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
668 } |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
669 } |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
670 |
573 | 671 ngx_conf_merge_value(conf->session_timeout, |
672 prev->session_timeout, 300); | |
673 | |
547 | 674 ngx_conf_merge_value(conf->prefer_server_ciphers, |
675 prev->prefer_server_ciphers, 0); | |
676 | |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
677 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
678 ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0); |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
679 |
547 | 680 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
8152
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
681 (NGX_CONF_BITMASK_SET |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
682 |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1 |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
683 |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)); |
547 | 684 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
685 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
686 NGX_SSL_BUFSIZE); |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
687 |
2123 | 688 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
689 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 690 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
691 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
692 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
693 NULL); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
694 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
695 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
696 |
2044 | 697 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
698 | |
647 | 699 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
700 ""); | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
701 ngx_conf_merge_str_value(conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
702 prev->trusted_certificate, ""); |
2995 | 703 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 704 |
3960 | 705 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
706 NGX_DEFAULT_ECDH_CURVE); | |
707 | |
2124 | 708 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 709 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
710 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
711 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
712 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
713 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
714 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
715 prev->ocsp_cache_zone, NULL); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
716 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
717 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
718 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
719 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
720 ngx_conf_merge_str_value(conf->stapling_responder, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
721 prev->stapling_responder, ""); |
479 | 722 |
547 | 723 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
724 |
2224 | 725 if (conf->enable) { |
726 | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
727 if (conf->certificates) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
728 if (conf->certificate_keys == NULL) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
729 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
730 "no \"ssl_certificate_key\" is defined for " |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
731 "the \"ssl\" directive in %s:%ui", |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
732 conf->file, conf->line); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
733 return NGX_CONF_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
734 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
735 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
736 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
737 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
738 "no \"ssl_certificate_key\" is defined " |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
739 "for certificate \"%V\" and " |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
740 "the \"ssl\" directive in %s:%ui", |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
741 ((ngx_str_t *) conf->certificates->elts) |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
742 + conf->certificates->nelts - 1, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
743 conf->file, conf->line); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
744 return NGX_CONF_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
745 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
746 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
747 } else if (!conf->reject_handshake) { |
2224 | 748 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
749 "no \"ssl_certificate\" is defined for " | |
750 "the \"ssl\" directive in %s:%ui", | |
751 conf->file, conf->line); | |
752 return NGX_CONF_ERROR; | |
753 } | |
754 | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
755 } else if (conf->certificates) { |
2224 | 756 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
757 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
758 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
759 { |
2224 | 760 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
761 "no \"ssl_certificate_key\" is defined " | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
762 "for certificate \"%V\"", |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
763 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
764 + conf->certificates->nelts - 1); |
2224 | 765 return NGX_CONF_ERROR; |
766 } | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
767 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
768 } else if (!conf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
769 return NGX_CONF_OK; |
2224 | 770 } |
771 | |
969 | 772 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
773 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
774 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
775 |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
776 cln = ngx_pool_cleanup_add(cf->pool, 0); |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
777 if (cln == NULL) { |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
778 ngx_ssl_cleanup_ctx(&conf->ssl); |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
779 return NGX_CONF_ERROR; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
780 } |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
781 |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
782 cln->handler = ngx_ssl_cleanup_ctx; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
783 cln->data = &conf->ssl; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
784 |
1219 | 785 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
786 | |
787 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
788 ngx_http_ssl_servername) | |
789 == 0) | |
790 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
791 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 792 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
793 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
794 "therefore SNI is not available"); |
1219 | 795 } |
796 | |
797 #endif | |
798 | |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
799 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
800 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
801 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
802 |
7904
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
803 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
804 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
805 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
806 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
807 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
808 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
809 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
810 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
811 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
812 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
813 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
814 if (conf->certificate_values) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
815 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
816 #ifdef SSL_R_CERT_CB_ERROR |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
817 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
818 /* install callback to lookup certificates */ |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
819 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
820 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf); |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
821 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
822 #else |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
823 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
824 "variables in " |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
825 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
826 "directives are not supported on this platform"); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
827 return NGX_CONF_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
828 #endif |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
829 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
830 } else if (conf->certificates) { |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
831 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
832 /* configure certificates */ |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
833 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
834 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
835 conf->certificate_keys, conf->passwords) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
836 != NGX_OK) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
837 { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
838 return NGX_CONF_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
839 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
840 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
841 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
842 conf->ssl.buffer_size = conf->buffer_size; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
843 |
647 | 844 if (conf->verify) { |
2123 | 845 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
846 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
2123 | 847 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
848 "no ssl_client_certificate for ssl_verify_client"); |
2123 | 849 return NGX_CONF_ERROR; |
850 } | |
851 | |
671 | 852 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 853 &conf->client_certificate, |
854 conf->verify_depth) | |
671 | 855 != NGX_OK) |
856 { | |
857 return NGX_CONF_ERROR; | |
647 | 858 } |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
859 } |
2995 | 860 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
861 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
862 &conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
863 conf->verify_depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
864 != NGX_OK) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
865 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
866 return NGX_CONF_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
867 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
868 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
869 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
870 return NGX_CONF_ERROR; |
647 | 871 } |
872 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
873 if (conf->ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
874 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
875 if (conf->verify == 3) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
876 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
877 "\"ssl_ocsp\" is incompatible with " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
878 "\"ssl_verify_client optional_no_ca\""); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
879 return NGX_CONF_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
880 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
881 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
882 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
883 conf->ocsp_cache_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
884 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
885 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
886 return NGX_CONF_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
887 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
888 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
889 |
2044 | 890 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
891 return NGX_CONF_ERROR; | |
892 } | |
893 | |
3960 | 894 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
895 return NGX_CONF_ERROR; | |
896 } | |
897 | |
973 | 898 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 899 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 900 |
901 if (conf->shm_zone == NULL) { | |
902 conf->shm_zone = prev->shm_zone; | |
903 } | |
904 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
905 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
906 conf->certificates, conf->builtin_session_cache, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
907 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
908 != NGX_OK) |
973 | 909 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
910 return NGX_CONF_ERROR; |
973 | 911 } |
573 | 912 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
913 ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
914 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
915 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
916 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
917 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
918 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
919 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
920 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
921 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
922 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
923 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
924 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
925 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
926 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
927 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
928 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
929 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
930 if (conf->stapling) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
931 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
932 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
933 &conf->stapling_responder, conf->stapling_verify) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
934 != NGX_OK) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
935 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
936 return NGX_CONF_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
937 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
938 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
939 } |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
940 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
941 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
942 return NGX_CONF_ERROR; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
943 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
944 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
945 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
946 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
947 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
948 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
949 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
950 } |
563 | 951 |
952 | |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
953 static ngx_int_t |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
954 ngx_http_ssl_compile_certificates(ngx_conf_t *cf, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
955 ngx_http_ssl_srv_conf_t *conf) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
956 { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
957 ngx_str_t *cert, *key; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
958 ngx_uint_t i, nelts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
959 ngx_http_complex_value_t *cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
960 ngx_http_compile_complex_value_t ccv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
961 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
962 if (conf->certificates == NULL) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
963 return NGX_OK; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
964 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
965 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
966 cert = conf->certificates->elts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
967 key = conf->certificate_keys->elts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
968 nelts = conf->certificates->nelts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
969 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
970 for (i = 0; i < nelts; i++) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
971 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
972 if (ngx_http_script_variables_count(&cert[i])) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
973 goto found; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
974 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
975 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
976 if (ngx_http_script_variables_count(&key[i])) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
977 goto found; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
978 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
979 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
980 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
981 return NGX_OK; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
982 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
983 found: |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
984 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
985 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
986 sizeof(ngx_http_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
987 if (conf->certificate_values == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
988 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
989 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
990 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
991 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
992 sizeof(ngx_http_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
993 if (conf->certificate_key_values == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
994 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
995 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
996 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
997 for (i = 0; i < nelts; i++) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
998 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
999 cv = ngx_array_push(conf->certificate_values); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1000 if (cv == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1001 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1002 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1003 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1004 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1005 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1006 ccv.cf = cf; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1007 ccv.value = &cert[i]; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1008 ccv.complex_value = cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1009 ccv.zero = 1; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1010 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1011 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1012 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1013 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1014 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1015 cv = ngx_array_push(conf->certificate_key_values); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1016 if (cv == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1017 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1018 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1019 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1020 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1021 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1022 ccv.cf = cf; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1023 ccv.value = &key[i]; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1024 ccv.complex_value = cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1025 ccv.zero = 1; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1026 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1027 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1028 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1029 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1030 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1031 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
1032 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
1033 if (conf->passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
1034 return NGX_ERROR; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
1035 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
1036 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1037 return NGX_OK; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1038 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1039 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
1040 |
973 | 1041 static char * |
2224 | 1042 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
1043 { | |
1044 ngx_http_ssl_srv_conf_t *sscf = conf; | |
1045 | |
1046 char *rv; | |
1047 | |
1048 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
1049 | |
1050 if (rv != NGX_CONF_OK) { | |
1051 return rv; | |
1052 } | |
1053 | |
1054 sscf->file = cf->conf_file->file.name.data; | |
1055 sscf->line = cf->conf_file->line; | |
1056 | |
1057 return NGX_CONF_OK; | |
1058 } | |
1059 | |
1060 | |
1061 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1062 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1063 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1064 ngx_http_ssl_srv_conf_t *sscf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1065 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1066 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1067 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1068 if (sscf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1069 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1070 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1071 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1072 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1073 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1074 sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1075 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1076 if (sscf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1077 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1078 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1079 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1080 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1081 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1082 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1083 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1084 static char * |
973 | 1085 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
1086 { | |
1087 ngx_http_ssl_srv_conf_t *sscf = conf; | |
1088 | |
1089 size_t len; | |
1090 ngx_str_t *value, name, size; | |
1091 ngx_int_t n; | |
1092 ngx_uint_t i, j; | |
1093 | |
1094 value = cf->args->elts; | |
1095 | |
1096 for (i = 1; i < cf->args->nelts; i++) { | |
1097 | |
1778 | 1098 if (ngx_strcmp(value[i].data, "off") == 0) { |
1099 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
1100 continue; | |
1101 } | |
1102 | |
2032 | 1103 if (ngx_strcmp(value[i].data, "none") == 0) { |
1104 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
1105 continue; | |
1106 } | |
1107 | |
973 | 1108 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1109 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 1110 continue; |
1111 } | |
1112 | |
1113 if (value[i].len > sizeof("builtin:") - 1 | |
1114 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
1115 == 0) | |
1116 { | |
1117 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
1118 value[i].len - (sizeof("builtin:") - 1)); | |
1119 | |
1120 if (n == NGX_ERROR) { | |
1121 goto invalid; | |
1122 } | |
1123 | |
1124 sscf->builtin_session_cache = n; | |
1125 | |
1126 continue; | |
1127 } | |
1128 | |
1129 if (value[i].len > sizeof("shared:") - 1 | |
1130 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
1131 == 0) | |
1132 { | |
1133 len = 0; | |
1134 | |
1135 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
1136 if (value[i].data[j] == ':') { | |
1137 break; | |
1138 } | |
1139 | |
1140 len++; | |
1141 } | |
1142 | |
8088
e32b48848add
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7973
diff
changeset
|
1143 if (len == 0 || j == value[i].len) { |
973 | 1144 goto invalid; |
1145 } | |
1146 | |
1147 name.len = len; | |
1148 name.data = value[i].data + sizeof("shared:") - 1; | |
1149 | |
1150 size.len = value[i].len - j - 1; | |
1151 size.data = name.data + len + 1; | |
1152 | |
1153 n = ngx_parse_size(&size); | |
1154 | |
1155 if (n == NGX_ERROR) { | |
1156 goto invalid; | |
1157 } | |
1158 | |
1159 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1160 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1161 "session cache \"%V\" is too small", |
973 | 1162 &value[i]); |
1163 | |
1164 return NGX_CONF_ERROR; | |
1165 } | |
1166 | |
1167 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1168 &ngx_http_ssl_module); | |
1169 if (sscf->shm_zone == NULL) { | |
1170 return NGX_CONF_ERROR; | |
1171 } | |
1172 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1173 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1174 |
973 | 1175 continue; |
1176 } | |
1177 | |
1178 goto invalid; | |
1179 } | |
1180 | |
1181 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1182 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 1183 } |
1184 | |
1185 return NGX_CONF_OK; | |
1186 | |
1187 invalid: | |
1188 | |
1189 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1190 "invalid session cache \"%V\"", &value[i]); | |
1191 | |
1192 return NGX_CONF_ERROR; | |
1193 } | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1194 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1195 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1196 static char * |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1197 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1198 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1199 ngx_http_ssl_srv_conf_t *sscf = conf; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1200 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1201 size_t len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1202 ngx_int_t n; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1203 ngx_str_t *value, name, size; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1204 ngx_uint_t j; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1205 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1206 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1207 return "is duplicate"; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1208 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1209 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1210 value = cf->args->elts; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1211 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1212 if (ngx_strcmp(value[1].data, "off") == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1213 sscf->ocsp_cache_zone = NULL; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1214 return NGX_CONF_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1215 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1216 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1217 if (value[1].len <= sizeof("shared:") - 1 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1218 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1219 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1220 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1221 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1222 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1223 len = 0; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1224 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1225 for (j = sizeof("shared:") - 1; j < value[1].len; j++) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1226 if (value[1].data[j] == ':') { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1227 break; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1228 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1229 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1230 len++; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1231 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1232 |
8088
e32b48848add
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7973
diff
changeset
|
1233 if (len == 0 || j == value[1].len) { |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1234 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1235 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1236 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1237 name.len = len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1238 name.data = value[1].data + sizeof("shared:") - 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1239 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1240 size.len = value[1].len - j - 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1241 size.data = name.data + len + 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1242 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1243 n = ngx_parse_size(&size); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1244 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1245 if (n == NGX_ERROR) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1246 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1247 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1248 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1249 if (n < (ngx_int_t) (8 * ngx_pagesize)) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1250 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1251 "OCSP cache \"%V\" is too small", &value[1]); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1252 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1253 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1254 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1255 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1256 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1257 &ngx_http_ssl_module_ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1258 if (sscf->ocsp_cache_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1259 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1260 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1261 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1262 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1263 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1264 return NGX_CONF_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1265 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1266 invalid: |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1267 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1268 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1269 "invalid OCSP cache \"%V\"", &value[1]); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1270 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1271 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1272 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1273 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1274 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1275 static char * |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1276 ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1277 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1278 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1279 return "is not supported on this platform"; |
7787
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7732
diff
changeset
|
1280 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7732
diff
changeset
|
1281 return NGX_CONF_OK; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1282 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1283 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1284 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1285 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1286 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1287 ngx_http_ssl_init(ngx_conf_t *cf) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1288 { |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1289 ngx_uint_t a, p, s; |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1290 const char *name; |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1291 ngx_http_conf_addr_t *addr; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1292 ngx_http_conf_port_t *port; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1293 ngx_http_ssl_srv_conf_t *sscf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1294 ngx_http_core_loc_conf_t *clcf; |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1295 ngx_http_core_srv_conf_t **cscfp, *cscf; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1296 ngx_http_core_main_conf_t *cmcf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1297 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1298 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1299 cscfp = cmcf->servers.elts; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1300 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1301 for (s = 0; s < cmcf->servers.nelts; s++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1302 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1303 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1304 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1305 if (sscf->ssl.ctx == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1306 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1307 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1308 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1309 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1310 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1311 if (sscf->stapling) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1312 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1313 clcf->resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1314 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1315 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1316 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1317 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1318 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1319 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1320 if (sscf->ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1321 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1322 clcf->resolver_timeout) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1323 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1324 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1325 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1326 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1327 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1328 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1329 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1330 if (cmcf->ports == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1331 return NGX_OK; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1332 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1333 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1334 port = cmcf->ports->elts; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1335 for (p = 0; p < cmcf->ports->nelts; p++) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1336 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1337 addr = port[p].addrs.elts; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1338 for (a = 0; a < port[p].addrs.nelts; a++) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1339 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1340 if (!addr[a].opt.ssl && !addr[a].opt.quic) { |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1341 continue; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1342 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1343 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1344 if (addr[a].opt.quic) { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1345 name = "quic"; |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1346 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1347 #if (NGX_QUIC_OPENSSL_COMPAT) |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1348 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) { |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1349 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1350 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1351 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1352 |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1353 } else { |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1354 name = "ssl"; |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1355 } |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1356 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1357 cscf = addr[a].default_server; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1358 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1359 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1360 if (sscf->certificates) { |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1361 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1362 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1363 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1364 "\"ssl_protocols\" must enable TLSv1.3 for " |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1365 "the \"listen ... %s\" directive in %s:%ui", |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1366 name, cscf->file_name, cscf->line); |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1367 return NGX_ERROR; |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1368 } |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1369 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1370 continue; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1371 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1372 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1373 if (!sscf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1374 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1375 "no \"ssl_certificate\" is defined for " |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1376 "the \"listen ... %s\" directive in %s:%ui", |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1377 name, cscf->file_name, cscf->line); |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1378 return NGX_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1379 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1380 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1381 /* |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1382 * if no certificates are defined in the default server, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1383 * check all non-default server blocks |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1384 */ |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1385 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1386 cscfp = addr[a].servers.elts; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1387 for (s = 0; s < addr[a].servers.nelts; s++) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1388 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1389 cscf = cscfp[s]; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1390 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1391 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1392 if (sscf->certificates || sscf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1393 continue; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1394 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1395 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1396 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1397 "no \"ssl_certificate\" is defined for " |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1398 "the \"listen ... %s\" directive in %s:%ui", |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1399 name, cscf->file_name, cscf->line); |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1400 return NGX_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1401 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1402 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1403 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1404 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1405 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1406 } |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1407 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1408 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1409 #if (NGX_QUIC_OPENSSL_COMPAT) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1410 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1411 static ngx_int_t |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1412 ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1413 { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1414 ngx_uint_t s; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1415 ngx_http_ssl_srv_conf_t *sscf; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1416 ngx_http_core_srv_conf_t **cscfp, *cscf; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1417 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1418 cscfp = addr->servers.elts; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1419 for (s = 0; s < addr->servers.nelts; s++) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1420 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1421 cscf = cscfp[s]; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1422 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1423 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1424 if (sscf->certificates || sscf->reject_handshake) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1425 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1426 return NGX_ERROR; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1427 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1428 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1429 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1430 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1431 return NGX_OK; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1432 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1433 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1434 #endif |