Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.h @ 8086:496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
OpenSSL with TLSv1.3 updates the session creation time on session
resumption and keeps the session timeout unmodified, making it possible
to maintain the session forever, bypassing client certificate expiration
and revocation. To make sure session timeouts are actually used, we
now update the session creation time and reduce the session timeout
accordingly.
BoringSSL with TLSv1.3 ignores configured session timeouts and uses a
hardcoded timeout instead, 7 days. So we update session timeout to
the configured value as soon as a session is created.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 12 Oct 2022 20:14:57 +0300 |
parents | 043006e5a0b1 |
children | 3be953161026 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
6 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
7898
8f7107617550
SSL: silenced warnings when building with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
15 #define OPENSSL_SUPPRESS_DEPRECATED |
8f7107617550
SSL: silenced warnings when building with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
16 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
17 #include <openssl/ssl.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
18 #include <openssl/err.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
19 #include <openssl/bn.h> |
968 | 20 #include <openssl/conf.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
21 #include <openssl/crypto.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
22 #include <openssl/dh.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
23 #ifndef OPENSSL_NO_ENGINE |
541 | 24 #include <openssl/engine.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
25 #endif |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
26 #include <openssl/evp.h> |
7132
8076ba459f05
SSL: include <openssl/hmac.h>.
Alessandro Ghedini <alessandro@ghedini.me>
parents:
7091
diff
changeset
|
27 #include <openssl/hmac.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
28 #ifndef OPENSSL_NO_OCSP |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
29 #include <openssl/ocsp.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
30 #endif |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
31 #include <openssl/rand.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
32 #include <openssl/x509.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
33 #include <openssl/x509v3.h> |
541 | 34 |
547 | 35 #define NGX_SSL_NAME "OpenSSL" |
36 | |
37 | |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
38 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
39 #undef OPENSSL_VERSION_NUMBER |
7337
cab37803ebb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
40 #if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL) |
cab37803ebb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
41 #define OPENSSL_VERSION_NUMBER 0x1010000fL |
cab37803ebb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
42 #else |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
43 #define OPENSSL_VERSION_NUMBER 0x1000107fL |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
44 #endif |
7337
cab37803ebb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
45 #endif |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
46 |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
47 |
6492
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
48 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
49 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
50 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
51 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
52 #else |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
53 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
54 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
55 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
56 #endif |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
57 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
58 |
671 | 59 #define ngx_ssl_session_t SSL_SESSION |
60 #define ngx_ssl_conn_t SSL | |
61 | |
62 | |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
63 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
64 #define SSL_is_server(s) (s)->server |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
65 #endif |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
66 |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
67 |
7895
8ebda26e4f98
SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
68 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate) |
8ebda26e4f98
SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
69 #define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s) |
8ebda26e4f98
SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
70 #endif |
8ebda26e4f98
SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
71 |
8ebda26e4f98
SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
72 |
7897
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7895
diff
changeset
|
73 #if (OPENSSL_VERSION_NUMBER < 0x30000000L && !defined ERR_peek_error_data) |
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7895
diff
changeset
|
74 #define ERR_peek_error_data(d, f) ERR_peek_error_line_data(NULL, NULL, d, f) |
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7895
diff
changeset
|
75 #endif |
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7895
diff
changeset
|
76 |
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7895
diff
changeset
|
77 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
78 typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
79 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
80 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
81 struct ngx_ssl_s { |
547 | 82 SSL_CTX *ctx; |
83 ngx_log_t *log; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
84 size_t buffer_size; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
85 }; |
541 | 86 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
87 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
88 struct ngx_ssl_connection_s { |
671 | 89 ngx_ssl_conn_t *connection; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5882
diff
changeset
|
90 SSL_CTX *session_ctx; |
647 | 91 |
547 | 92 ngx_int_t last; |
93 ngx_buf_t *buf; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
94 size_t buffer_size; |
547 | 95 |
96 ngx_connection_handler_pt handler; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
97 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
98 ngx_ssl_session_t *session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
99 ngx_connection_handler_pt save_session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
100 |
547 | 101 ngx_event_handler_pt saved_read_handler; |
102 ngx_event_handler_pt saved_write_handler; | |
479 | 103 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
104 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
105 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7337
diff
changeset
|
106 u_char early_buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7337
diff
changeset
|
107 |
547 | 108 unsigned handshaked:1; |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
109 unsigned handshake_rejected:1; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
110 unsigned renegotiation:1; |
547 | 111 unsigned buffer:1; |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7935
diff
changeset
|
112 unsigned sendfile:1; |
547 | 113 unsigned no_wait_shutdown:1; |
114 unsigned no_send_shutdown:1; | |
7871
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7732
diff
changeset
|
115 unsigned shutdown_without_free:1; |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5223
diff
changeset
|
116 unsigned handshake_buffer_set:1; |
8086
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
117 unsigned session_timeout_set:1; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7337
diff
changeset
|
118 unsigned try_early_data:1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7337
diff
changeset
|
119 unsigned in_early:1; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
120 unsigned in_ocsp:1; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7337
diff
changeset
|
121 unsigned early_preread:1; |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7357
diff
changeset
|
122 unsigned write_blocked:1; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
123 }; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
124 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
125 |
2032 | 126 #define NGX_SSL_NO_SCACHE -2 |
127 #define NGX_SSL_NONE_SCACHE -3 | |
128 #define NGX_SSL_NO_BUILTIN_SCACHE -4 | |
129 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
130 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
131 |
1778 | 132 #define NGX_SSL_MAX_SESSION_SIZE 4096 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
133 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
134 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
135 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
136 struct ngx_ssl_sess_id_s { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
137 ngx_rbtree_node_t node; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
138 size_t len; |
1760 | 139 ngx_queue_t queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
140 time_t expire; |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
141 u_char id[32]; |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
142 #if (NGX_PTR_SIZE == 8) |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
143 u_char *session; |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
144 #else |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
145 u_char session[1]; |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
146 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
147 }; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
148 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
149 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
150 typedef struct { |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
151 u_char name[16]; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
152 u_char hmac_key[32]; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
153 u_char aes_key[32]; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
154 time_t expire; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
155 unsigned size:8; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
156 unsigned shared:1; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
157 } ngx_ssl_ticket_key_t; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
158 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
159 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
160 typedef struct { |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
161 ngx_rbtree_t session_rbtree; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
162 ngx_rbtree_node_t sentinel; |
1760 | 163 ngx_queue_t expire_queue; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
164 ngx_ssl_ticket_key_t ticket_keys[3]; |
8075
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
165 time_t fail_time; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
166 } ngx_ssl_session_cache_t; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
167 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
168 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
169 #define NGX_SSL_SSLv2 0x0002 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
170 #define NGX_SSL_SSLv3 0x0004 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
171 #define NGX_SSL_TLSv1 0x0008 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
172 #define NGX_SSL_TLSv1_1 0x0010 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
173 #define NGX_SSL_TLSv1_2 0x0020 |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
174 #define NGX_SSL_TLSv1_3 0x0040 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
175 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
176 |
547 | 177 #define NGX_SSL_BUFFER 1 |
577 | 178 #define NGX_SSL_CLIENT 2 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
179 |
547 | 180 #define NGX_SSL_BUFSIZE 16384 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
181 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
182 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
183 ngx_int_t ngx_ssl_init(ngx_log_t *log); |
969 | 184 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7431
diff
changeset
|
185 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
186 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
187 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords); |
563 | 188 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
189 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7431
diff
changeset
|
190 ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7431
diff
changeset
|
191 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7431
diff
changeset
|
192 |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
193 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
194 ngx_uint_t prefer_server_ciphers); |
647 | 195 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
671 | 196 ngx_str_t *cert, ngx_int_t depth); |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
197 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
198 ngx_str_t *cert, ngx_int_t depth); |
2995 | 199 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
200 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
201 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
202 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
203 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
204 ngx_int_t ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
205 ngx_uint_t depth, ngx_shm_zone_t *shm_zone); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
206 ngx_int_t ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
207 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); |
8080 | 208 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
209 ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
210 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
211 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c); |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
212 ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
8080 | 213 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
214 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
215 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
216 ngx_array_t *passwords); |
2044 | 217 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
3960 | 218 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
219 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
220 ngx_uint_t enable); |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
221 ngx_int_t ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
222 ngx_array_t *commands); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
223 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
224 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
225 ngx_uint_t enable); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
226 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
227 ngx_array_t *certificates, ssize_t builtin_session_cache, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
228 ngx_shm_zone_t *shm_zone, time_t timeout); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
229 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
230 ngx_array_t *paths); |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
231 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
232 |
547 | 233 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
543 | 234 ngx_uint_t flags); |
577 | 235 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
236 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
577 | 237 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
238 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7132
diff
changeset
|
239 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); |
611 | 240 #define ngx_ssl_free_session SSL_SESSION_free |
969 | 241 #define ngx_ssl_get_connection(ssl_conn) \ |
242 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | |
243 #define ngx_ssl_get_server_conf(ssl_ctx) \ | |
244 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | |
611 | 245 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
246 #define ngx_ssl_verify_error_optional(n) \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
247 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
248 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
249 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
250 || n == X509_V_ERR_CERT_UNTRUSTED \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
251 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
252 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
253 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
254 |
611 | 255 |
671 | 256 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
257 ngx_str_t *s); | |
258 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | |
259 ngx_str_t *s); | |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
260 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
261 ngx_str_t *s); |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
262 ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
263 ngx_str_t *s); |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
264 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
265 ngx_str_t *s); |
3154 | 266 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, |
267 ngx_str_t *s); | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
268 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
269 ngx_str_t *s); |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
270 ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
271 ngx_str_t *s); |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
272 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
273 ngx_str_t *s); |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7900
diff
changeset
|
274 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7900
diff
changeset
|
275 ngx_str_t *s); |
2123 | 276 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
277 ngx_str_t *s); | |
2045 | 278 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
279 ngx_str_t *s); | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6982
diff
changeset
|
280 ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6982
diff
changeset
|
281 ngx_str_t *s); |
647 | 282 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, |
283 ngx_str_t *s); | |
284 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, | |
285 ngx_str_t *s); | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
286 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
287 ngx_str_t *s); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
288 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
289 ngx_str_t *s); |
671 | 290 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, |
291 ngx_str_t *s); | |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
292 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
293 ngx_str_t *s); |
2994 | 294 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, |
295 ngx_str_t *s); | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
296 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
297 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
298 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
299 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
300 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
301 ngx_str_t *s); |
671 | 302 |
647 | 303 |
547 | 304 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); |
469 | 305 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); |
539 | 306 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5777
diff
changeset
|
307 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
308 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, |
489 | 309 off_t limit); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
310 void ngx_ssl_free_buffer(ngx_connection_t *c); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
311 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); |
583 | 312 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, |
489 | 313 char *fmt, ...); |
509 | 314 void ngx_ssl_cleanup_ctx(void *data); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
315 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
316 |
969 | 317 extern int ngx_ssl_connection_index; |
318 extern int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
319 extern int ngx_ssl_session_cache_index; |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
320 extern int ngx_ssl_ticket_keys_index; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7612
diff
changeset
|
321 extern int ngx_ssl_ocsp_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
322 extern int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6492
diff
changeset
|
323 extern int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
324 extern int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
325 extern int ngx_ssl_stapling_index; |
671 | 326 |
327 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
328 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ |