Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 7729:3bff3f397c05
SSL: ssl_conf_command directive.
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later. Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):
ssl_conf_command Options PrioritizeChaCha;
It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:00:22 +0300 |
parents | ef7ee19776db |
children | 7ce28b4cc57e |
comparison
equal
deleted
inserted
replaced
7728:485dba3e2a01 | 7729:3bff3f397c05 |
---|---|
43 | 43 |
44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | 44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
45 void *conf); | 45 void *conf); |
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
47 void *conf); | 47 void *conf); |
48 | |
49 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, | |
50 void *data); | |
51 | |
48 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); | 52 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
49 | 53 |
50 | 54 |
51 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | 55 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { |
52 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 56 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
66 { ngx_string("optional_no_ca"), 3 }, | 70 { ngx_string("optional_no_ca"), 3 }, |
67 { ngx_null_string, 0 } | 71 { ngx_null_string, 0 } |
68 }; | 72 }; |
69 | 73 |
70 | 74 |
75 static ngx_conf_post_t ngx_stream_ssl_conf_command_post = | |
76 { ngx_stream_ssl_conf_command_check }; | |
77 | |
78 | |
71 static ngx_command_t ngx_stream_ssl_commands[] = { | 79 static ngx_command_t ngx_stream_ssl_commands[] = { |
72 | 80 |
73 { ngx_string("ssl_handshake_timeout"), | 81 { ngx_string("ssl_handshake_timeout"), |
74 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 82 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
75 ngx_conf_set_msec_slot, | 83 ngx_conf_set_msec_slot, |
193 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 201 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
194 ngx_conf_set_str_slot, | 202 ngx_conf_set_str_slot, |
195 NGX_STREAM_SRV_CONF_OFFSET, | 203 NGX_STREAM_SRV_CONF_OFFSET, |
196 offsetof(ngx_stream_ssl_conf_t, crl), | 204 offsetof(ngx_stream_ssl_conf_t, crl), |
197 NULL }, | 205 NULL }, |
206 | |
207 { ngx_string("ssl_conf_command"), | |
208 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, | |
209 ngx_conf_set_keyval_slot, | |
210 NGX_STREAM_SRV_CONF_OFFSET, | |
211 offsetof(ngx_stream_ssl_conf_t, conf_commands), | |
212 &ngx_stream_ssl_conf_command_post }, | |
198 | 213 |
199 ngx_null_command | 214 ngx_null_command |
200 }; | 215 }; |
201 | 216 |
202 | 217 |
593 | 608 |
594 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | 609 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; |
595 scf->certificates = NGX_CONF_UNSET_PTR; | 610 scf->certificates = NGX_CONF_UNSET_PTR; |
596 scf->certificate_keys = NGX_CONF_UNSET_PTR; | 611 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
597 scf->passwords = NGX_CONF_UNSET_PTR; | 612 scf->passwords = NGX_CONF_UNSET_PTR; |
613 scf->conf_commands = NGX_CONF_UNSET_PTR; | |
598 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 614 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
599 scf->verify = NGX_CONF_UNSET_UINT; | 615 scf->verify = NGX_CONF_UNSET_UINT; |
600 scf->verify_depth = NGX_CONF_UNSET_UINT; | 616 scf->verify_depth = NGX_CONF_UNSET_UINT; |
601 scf->builtin_session_cache = NGX_CONF_UNSET; | 617 scf->builtin_session_cache = NGX_CONF_UNSET; |
602 scf->session_timeout = NGX_CONF_UNSET; | 618 scf->session_timeout = NGX_CONF_UNSET; |
647 | 663 |
648 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 664 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
649 NGX_DEFAULT_ECDH_CURVE); | 665 NGX_DEFAULT_ECDH_CURVE); |
650 | 666 |
651 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 667 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
668 | |
669 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); | |
652 | 670 |
653 | 671 |
654 conf->ssl.log = cf->log; | 672 conf->ssl.log = cf->log; |
655 | 673 |
656 if (!conf->listen) { | 674 if (!conf->listen) { |
809 != NGX_OK) | 827 != NGX_OK) |
810 { | 828 { |
811 return NGX_CONF_ERROR; | 829 return NGX_CONF_ERROR; |
812 } | 830 } |
813 | 831 |
832 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { | |
833 return NGX_CONF_ERROR; | |
834 } | |
835 | |
814 return NGX_CONF_OK; | 836 return NGX_CONF_OK; |
815 } | 837 } |
816 | 838 |
817 | 839 |
818 static ngx_int_t | 840 static ngx_int_t |
1032 | 1054 |
1033 return NGX_CONF_ERROR; | 1055 return NGX_CONF_ERROR; |
1034 } | 1056 } |
1035 | 1057 |
1036 | 1058 |
1059 static char * | |
1060 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) | |
1061 { | |
1062 #ifndef SSL_CONF_FLAG_FILE | |
1063 return "is not supported on this platform"; | |
1064 #endif | |
1065 | |
1066 return NGX_CONF_OK; | |
1067 } | |
1068 | |
1069 | |
1037 static ngx_int_t | 1070 static ngx_int_t |
1038 ngx_stream_ssl_init(ngx_conf_t *cf) | 1071 ngx_stream_ssl_init(ngx_conf_t *cf) |
1039 { | 1072 { |
1040 ngx_stream_handler_pt *h; | 1073 ngx_stream_handler_pt *h; |
1041 ngx_stream_core_main_conf_t *cmcf; | 1074 ngx_stream_core_main_conf_t *cmcf; |