Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7729:3bff3f397c05
SSL: ssl_conf_command directive.
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later. Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):
ssl_conf_command Options PrioritizeChaCha;
It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:00:22 +0300 |
parents | b56f725dd4bb |
children | 59e1c73fe02b |
comparison
equal
deleted
inserted
replaced
7728:485dba3e2a01 | 7729:3bff3f397c05 |
---|---|
50 void *conf); | 50 void *conf); |
51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
52 void *conf); | 52 void *conf); |
53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
54 void *conf); | 54 void *conf); |
55 | |
56 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, | |
57 void *data); | |
55 | 58 |
56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 59 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
57 | 60 |
58 | 61 |
59 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 62 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
87 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { | 90 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
88 ngx_conf_deprecated, "ssl", "listen ... ssl" | 91 ngx_conf_deprecated, "ssl", "listen ... ssl" |
89 }; | 92 }; |
90 | 93 |
91 | 94 |
95 static ngx_conf_post_t ngx_http_ssl_conf_command_post = | |
96 { ngx_http_ssl_conf_command_check }; | |
97 | |
98 | |
92 static ngx_command_t ngx_http_ssl_commands[] = { | 99 static ngx_command_t ngx_http_ssl_commands[] = { |
93 | 100 |
94 { ngx_string("ssl"), | 101 { ngx_string("ssl"), |
95 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 102 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
96 ngx_http_ssl_enable, | 103 ngx_http_ssl_enable, |
277 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 284 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
278 ngx_conf_set_flag_slot, | 285 ngx_conf_set_flag_slot, |
279 NGX_HTTP_SRV_CONF_OFFSET, | 286 NGX_HTTP_SRV_CONF_OFFSET, |
280 offsetof(ngx_http_ssl_srv_conf_t, early_data), | 287 offsetof(ngx_http_ssl_srv_conf_t, early_data), |
281 NULL }, | 288 NULL }, |
289 | |
290 { ngx_string("ssl_conf_command"), | |
291 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2, | |
292 ngx_conf_set_keyval_slot, | |
293 NGX_HTTP_SRV_CONF_OFFSET, | |
294 offsetof(ngx_http_ssl_srv_conf_t, conf_commands), | |
295 &ngx_http_ssl_conf_command_post }, | |
282 | 296 |
283 ngx_null_command | 297 ngx_null_command |
284 }; | 298 }; |
285 | 299 |
286 | 300 |
604 sscf->verify = NGX_CONF_UNSET_UINT; | 618 sscf->verify = NGX_CONF_UNSET_UINT; |
605 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 619 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
606 sscf->certificates = NGX_CONF_UNSET_PTR; | 620 sscf->certificates = NGX_CONF_UNSET_PTR; |
607 sscf->certificate_keys = NGX_CONF_UNSET_PTR; | 621 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
608 sscf->passwords = NGX_CONF_UNSET_PTR; | 622 sscf->passwords = NGX_CONF_UNSET_PTR; |
623 sscf->conf_commands = NGX_CONF_UNSET_PTR; | |
609 sscf->builtin_session_cache = NGX_CONF_UNSET; | 624 sscf->builtin_session_cache = NGX_CONF_UNSET; |
610 sscf->session_timeout = NGX_CONF_UNSET; | 625 sscf->session_timeout = NGX_CONF_UNSET; |
611 sscf->session_tickets = NGX_CONF_UNSET; | 626 sscf->session_tickets = NGX_CONF_UNSET; |
612 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 627 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
613 sscf->ocsp = NGX_CONF_UNSET_UINT; | 628 sscf->ocsp = NGX_CONF_UNSET_UINT; |
672 | 687 |
673 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 688 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
674 NGX_DEFAULT_ECDH_CURVE); | 689 NGX_DEFAULT_ECDH_CURVE); |
675 | 690 |
676 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 691 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
692 | |
693 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); | |
677 | 694 |
678 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | 695 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
679 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | 696 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
680 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, | 697 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, |
681 prev->ocsp_cache_zone, NULL); | 698 prev->ocsp_cache_zone, NULL); |
911 | 928 |
912 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { | 929 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { |
913 return NGX_CONF_ERROR; | 930 return NGX_CONF_ERROR; |
914 } | 931 } |
915 | 932 |
933 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { | |
934 return NGX_CONF_ERROR; | |
935 } | |
936 | |
916 return NGX_CONF_OK; | 937 return NGX_CONF_OK; |
917 } | 938 } |
918 | 939 |
919 | 940 |
920 static ngx_int_t | 941 static ngx_int_t |
1230 | 1251 |
1231 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 1252 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
1232 "invalid OCSP cache \"%V\"", &value[1]); | 1253 "invalid OCSP cache \"%V\"", &value[1]); |
1233 | 1254 |
1234 return NGX_CONF_ERROR; | 1255 return NGX_CONF_ERROR; |
1256 } | |
1257 | |
1258 | |
1259 static char * | |
1260 ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) | |
1261 { | |
1262 #ifndef SSL_CONF_FLAG_FILE | |
1263 return "is not supported on this platform"; | |
1264 #endif | |
1265 | |
1266 return NGX_CONF_OK; | |
1235 } | 1267 } |
1236 | 1268 |
1237 | 1269 |
1238 static ngx_int_t | 1270 static ngx_int_t |
1239 ngx_http_ssl_init(ngx_conf_t *cf) | 1271 ngx_http_ssl_init(ngx_conf_t *cf) |