Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 647:95d7da23ea53 release-0.3.45
nginx-0.3.45-RELEASE import
*) Feature: the "ssl_verify_client", "ssl_verify_depth", and
"ssl_client_certificate" directives.
*) Change: the $request_method variable now returns the main request
method.
*) Change: the ° symbol codes were changed in koi-win conversion
table.
*) Feature: the euro and N symbols were added to koi-win conversion
table.
*) Bugfix: if nginx distributed the requests among several backends and
some backend failed, then requests intended for this backend was
directed to one live backend only instead of being distributed among
the rest.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Sat, 06 May 2006 16:28:56 +0000 |
parents | e60fe4cf1d4e |
children | 63a820b0bc6c |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
4 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
6 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
573 | 11 |
611 | 12 typedef u_char *(*ngx_ssl_variable_handler_pt)(ngx_connection_t *); |
13 | |
14 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
547 | 17 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
18 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
611 | 20 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
21 ngx_http_variable_value_t *v, uintptr_t data); | |
647 | 22 static ngx_int_t ngx_http_ssl_client_s_dn(ngx_http_request_t *r, |
23 ngx_http_variable_value_t *v, uintptr_t data); | |
24 static ngx_int_t ngx_http_ssl_client_i_dn(ngx_http_request_t *r, | |
25 ngx_http_variable_value_t *v, uintptr_t data); | |
611 | 26 |
27 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
29 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 30 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
31 |
563 | 32 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) |
33 | |
34 static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, | |
35 void *conf); | |
36 | |
37 static char ngx_http_ssl_openssl097[] = "OpenSSL 0.9.7 and higher"; | |
38 | |
39 #endif | |
40 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
41 |
547 | 42 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
46 { ngx_null_string, 0 } | |
47 }; | |
48 | |
49 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
50 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
51 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
52 { ngx_string("ssl"), |
599 | 53 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
54 ngx_conf_set_flag_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
55 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
56 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
57 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
58 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
59 { ngx_string("ssl_certificate"), |
599 | 60 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
65 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 { ngx_string("ssl_certificate_key"), |
599 | 67 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 |
547 | 73 { ngx_string("ssl_protocols"), |
563 | 74 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 75 ngx_conf_set_bitmask_slot, |
76 NGX_HTTP_SRV_CONF_OFFSET, | |
77 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
78 &ngx_http_ssl_protocols }, | |
79 | |
479 | 80 { ngx_string("ssl_ciphers"), |
563 | 81 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 82 ngx_conf_set_str_slot, |
83 NGX_HTTP_SRV_CONF_OFFSET, | |
84 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
85 NULL }, | |
86 | |
647 | 87 { ngx_string("ssl_verify_client"), |
88 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
89 ngx_conf_set_flag_slot, | |
90 NGX_HTTP_SRV_CONF_OFFSET, | |
91 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
92 NULL }, | |
93 | |
94 { ngx_string("ssl_verify_depth"), | |
95 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
96 ngx_conf_set_num_slot, | |
97 NGX_HTTP_SRV_CONF_OFFSET, | |
98 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
99 NULL }, | |
100 | |
101 { ngx_string("ssl_client_certificate"), | |
102 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
103 ngx_conf_set_str_slot, | |
104 NGX_HTTP_SRV_CONF_OFFSET, | |
105 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
106 NULL }, | |
107 | |
547 | 108 { ngx_string("ssl_prefer_server_ciphers"), |
109 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
563 | 110 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
547 | 111 ngx_conf_set_flag_slot, |
112 NGX_HTTP_SRV_CONF_OFFSET, | |
113 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
114 NULL }, | |
563 | 115 #else |
116 ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, | |
117 #endif | |
547 | 118 |
573 | 119 { ngx_string("ssl_session_timeout"), |
120 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
121 ngx_conf_set_sec_slot, | |
122 NGX_HTTP_SRV_CONF_OFFSET, | |
123 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
124 NULL }, | |
125 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
126 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
127 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
128 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
129 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
130 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 131 ngx_http_ssl_add_variables, /* preconfiguration */ |
509 | 132 NULL, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
133 |
541 | 134 NULL, /* create main configuration */ |
135 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
136 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
137 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
138 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
139 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
140 NULL, /* create location configuration */ |
485 | 141 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
142 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
143 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
144 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
145 ngx_module_t ngx_http_ssl_module = { |
509 | 146 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
147 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
148 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
149 NGX_HTTP_MODULE, /* module type */ |
541 | 150 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
151 NULL, /* init module */ |
541 | 152 NULL, /* init process */ |
153 NULL, /* init thread */ | |
154 NULL, /* exit thread */ | |
155 NULL, /* exit process */ | |
156 NULL, /* exit master */ | |
157 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
158 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
159 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
160 |
611 | 161 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
162 | |
637 | 163 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_variable, |
611 | 164 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, |
165 | |
637 | 166 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable, |
611 | 167 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, |
168 | |
647 | 169 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_client_s_dn, |
170 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | |
171 | |
172 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_client_i_dn, | |
173 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | |
174 | |
637 | 175 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 176 }; |
177 | |
178 | |
543 | 179 static u_char ngx_http_session_id_ctx[] = "HTTP"; |
180 | |
181 | |
611 | 182 static ngx_int_t |
183 ngx_http_ssl_variable(ngx_http_request_t *r, | |
184 ngx_http_variable_value_t *v, uintptr_t data) | |
185 { | |
186 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; | |
187 | |
188 size_t len; | |
189 u_char *name; | |
190 | |
191 if (r->connection->ssl) { | |
192 | |
193 name = handler(r->connection); | |
194 | |
195 for (len = 0; name[len]; len++) { /* void */ } | |
196 | |
197 v->len = len; | |
198 v->valid = 1; | |
199 v->no_cachable = 0; | |
200 v->not_found = 0; | |
201 v->data = name; | |
202 | |
203 return NGX_OK; | |
204 } | |
205 | |
206 v->not_found = 1; | |
207 | |
208 return NGX_OK; | |
209 } | |
210 | |
211 | |
212 static ngx_int_t | |
647 | 213 ngx_http_ssl_client_s_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
214 uintptr_t data) | |
215 { | |
216 if (r->connection->ssl) { | |
217 if (ngx_ssl_get_subject_dn(r->connection, r->pool, (ngx_str_t *) v) | |
218 != NGX_OK) | |
219 { | |
220 return NGX_ERROR; | |
221 } | |
222 | |
223 if (v->len) { | |
224 v->valid = 1; | |
225 v->no_cachable = 0; | |
226 v->not_found = 0; | |
227 | |
228 return NGX_OK; | |
229 } | |
230 } | |
231 | |
232 v->not_found = 1; | |
233 | |
234 return NGX_OK; | |
235 } | |
236 | |
237 | |
238 static ngx_int_t | |
239 ngx_http_ssl_client_i_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, | |
240 uintptr_t data) | |
241 { | |
242 if (r->connection->ssl) { | |
243 if (ngx_ssl_get_issuer_dn(r->connection, r->pool, (ngx_str_t *) v) | |
244 != NGX_OK) | |
245 { | |
246 return NGX_ERROR; | |
247 } | |
248 | |
249 if (v->len) { | |
250 v->valid = 1; | |
251 v->no_cachable = 0; | |
252 v->not_found = 0; | |
253 | |
254 return NGX_OK; | |
255 } | |
256 } | |
257 | |
258 v->not_found = 1; | |
259 | |
260 return NGX_OK; | |
261 } | |
262 | |
263 | |
264 static ngx_int_t | |
611 | 265 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
266 { | |
267 ngx_http_variable_t *var, *v; | |
268 | |
269 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
270 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
271 if (var == NULL) { | |
272 return NGX_ERROR; | |
273 } | |
274 | |
637 | 275 var->get_handler = v->get_handler; |
611 | 276 var->data = v->data; |
277 } | |
278 | |
279 return NGX_OK; | |
280 } | |
281 | |
282 | |
501 | 283 static void * |
284 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
285 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
286 ngx_http_ssl_srv_conf_t *scf; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
287 |
501 | 288 scf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
289 if (scf == NULL) { | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
290 return NGX_CONF_ERROR; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
291 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
292 |
479 | 293 /* |
294 * set by ngx_pcalloc(): | |
295 * | |
547 | 296 * scf->protocols = 0; |
297 | |
479 | 298 * scf->certificate.len = 0; |
299 * scf->certificate.data = NULL; | |
300 * scf->certificate_key.len = 0; | |
301 * scf->certificate_key.data = NULL; | |
647 | 302 * scf->client_certificate.len = 0; |
303 * scf->client_certificate.data = NULL; | |
479 | 304 * scf->ciphers.len = 0; |
305 * scf->ciphers.data = NULL; | |
306 */ | |
307 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
308 scf->enable = NGX_CONF_UNSET; |
573 | 309 scf->session_timeout = NGX_CONF_UNSET; |
647 | 310 scf->verify = NGX_CONF_UNSET; |
311 scf->verify_depth = NGX_CONF_UNSET; | |
547 | 312 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
313 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
314 return scf; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
315 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
316 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
317 |
501 | 318 static char * |
319 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
320 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
321 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
322 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
323 |
563 | 324 ngx_pool_cleanup_t *cln; |
325 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
326 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
327 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
328 if (conf->enable == 0) { |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
329 return NGX_CONF_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
330 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
331 |
573 | 332 ngx_conf_merge_value(conf->session_timeout, |
333 prev->session_timeout, 300); | |
334 | |
547 | 335 ngx_conf_merge_value(conf->prefer_server_ciphers, |
336 prev->prefer_server_ciphers, 0); | |
337 | |
338 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
339 (NGX_CONF_BITMASK_SET | |
340 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
341 | |
647 | 342 ngx_conf_merge_value(conf->verify, prev->verify, 0); |
343 ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1); | |
344 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
345 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
547 | 346 NGX_DEFLAUT_CERTIFICATE); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
347 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
348 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
547 | 349 NGX_DEFLAUT_CERTIFICATE_KEY); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
350 |
647 | 351 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
352 ""); | |
353 | |
547 | 354 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
479 | 355 |
356 | |
547 | 357 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
358 |
547 | 359 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
360 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
361 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
362 |
563 | 363 cln = ngx_pool_cleanup_add(cf->pool, 0); |
364 if (cln == NULL) { | |
509 | 365 return NGX_CONF_ERROR; |
366 } | |
367 | |
563 | 368 cln->handler = ngx_ssl_cleanup_ctx; |
369 cln->data = &conf->ssl; | |
370 | |
371 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
372 &conf->certificate_key) != NGX_OK) | |
529 | 373 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
374 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
375 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
376 |
547 | 377 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 378 (const char *) conf->ciphers.data) |
379 == 0) | |
529 | 380 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
381 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 382 "SSL_CTX_set_cipher_list(\"%V\") failed", |
383 &conf->ciphers); | |
384 } | |
385 | |
647 | 386 if (conf->verify) { |
387 SSL_CTX_set_verify(conf->ssl.ctx, NGX_SSL_VERIFY, NULL); | |
388 | |
389 SSL_CTX_set_verify_depth(conf->ssl.ctx, conf->verify_depth); | |
390 | |
391 if (conf->client_certificate.len) { | |
392 if (ngx_ssl_client_certificate(cf, &conf->ssl, | |
393 &conf->client_certificate) | |
394 != NGX_OK) | |
395 { | |
396 return NGX_CONF_ERROR; | |
397 } | |
398 } | |
399 } | |
400 | |
563 | 401 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
402 | |
547 | 403 if (conf->prefer_server_ciphers) { |
404 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
405 } | |
406 | |
563 | 407 #endif |
408 | |
547 | 409 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
410 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
411 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
412 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
413 |
547 | 414 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); |
543 | 415 |
547 | 416 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, |
543 | 417 sizeof(ngx_http_session_id_ctx) - 1); |
541 | 418 |
573 | 419 SSL_CTX_set_timeout(conf->ssl.ctx, conf->session_timeout); |
420 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
421 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
422 } |
563 | 423 |
424 | |
425 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | |
426 | |
427 static char * | |
428 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
429 { | |
430 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
431 "\"%V\" directive is available only in %s,", | |
432 &cmd->name, cmd->post); | |
433 | |
434 return NGX_CONF_ERROR; | |
435 } | |
436 | |
437 #endif |