Mercurial > hg > nginx
comparison src/mail/ngx_mail_ssl_module.c @ 5425:1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
author | Piotr Sikora <piotr@cloudflare.com> |
---|---|
date | Fri, 11 Oct 2013 16:05:24 -0700 |
parents | 09fc4598fc8e |
children | d049b0ea00a3 |
comparison
equal
deleted
inserted
replaced
5424:767aa37f12de | 5425:1356a3b96924 |
---|---|
112 { ngx_string("ssl_session_cache"), | 112 { ngx_string("ssl_session_cache"), |
113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, | 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
114 ngx_mail_ssl_session_cache, | 114 ngx_mail_ssl_session_cache, |
115 NGX_MAIL_SRV_CONF_OFFSET, | 115 NGX_MAIL_SRV_CONF_OFFSET, |
116 0, | 116 0, |
117 NULL }, | |
118 | |
119 { ngx_string("ssl_session_ticket_key"), | |
120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
121 ngx_conf_set_str_array_slot, | |
122 NGX_MAIL_SRV_CONF_OFFSET, | |
123 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), | |
117 NULL }, | 124 NULL }, |
118 | 125 |
119 { ngx_string("ssl_session_timeout"), | 126 { ngx_string("ssl_session_timeout"), |
120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 127 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
121 ngx_conf_set_sec_slot, | 128 ngx_conf_set_sec_slot, |
182 scf->enable = NGX_CONF_UNSET; | 189 scf->enable = NGX_CONF_UNSET; |
183 scf->starttls = NGX_CONF_UNSET_UINT; | 190 scf->starttls = NGX_CONF_UNSET_UINT; |
184 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 191 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
185 scf->builtin_session_cache = NGX_CONF_UNSET; | 192 scf->builtin_session_cache = NGX_CONF_UNSET; |
186 scf->session_timeout = NGX_CONF_UNSET; | 193 scf->session_timeout = NGX_CONF_UNSET; |
194 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
187 | 195 |
188 return scf; | 196 return scf; |
189 } | 197 } |
190 | 198 |
191 | 199 |
329 != NGX_OK) | 337 != NGX_OK) |
330 { | 338 { |
331 return NGX_CONF_ERROR; | 339 return NGX_CONF_ERROR; |
332 } | 340 } |
333 | 341 |
342 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
343 prev->session_ticket_keys, NULL); | |
344 | |
345 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
346 != NGX_OK) | |
347 { | |
348 return NGX_CONF_ERROR; | |
349 } | |
350 | |
334 return NGX_CONF_OK; | 351 return NGX_CONF_OK; |
335 } | 352 } |
336 | 353 |
337 | 354 |
338 static char * | 355 static char * |