Mercurial > hg > nginx

comparison src/mail/ngx_mail_ssl_module.c @ 6550:51e1f047d15d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: support for multiple certificates (ticket #814).
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 19 May 2016 14:46:32 +0300
parents c256dfdd469d
children 2014ed60f17f
comparison
equal deleted inserted replaced
6549:d3302eb87a0c 6550:51e1f047d15d
71 offsetof(ngx_mail_ssl_conf_t, starttls), 71 offsetof(ngx_mail_ssl_conf_t, starttls),
72 ngx_mail_starttls_state }, 72 ngx_mail_starttls_state },
73 73
74 { ngx_string("ssl_certificate"), 74 { ngx_string("ssl_certificate"),
75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
76 ngx_conf_set_str_slot, 76 ngx_conf_set_str_array_slot,
77 NGX_MAIL_SRV_CONF_OFFSET, 77 NGX_MAIL_SRV_CONF_OFFSET,
78 offsetof(ngx_mail_ssl_conf_t, certificate), 78 offsetof(ngx_mail_ssl_conf_t, certificates),
79 NULL }, 79 NULL },
80 80
81 { ngx_string("ssl_certificate_key"), 81 { ngx_string("ssl_certificate_key"),
82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, 82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
83 ngx_conf_set_str_slot, 83 ngx_conf_set_str_array_slot,
84 NGX_MAIL_SRV_CONF_OFFSET, 84 NGX_MAIL_SRV_CONF_OFFSET,
85 offsetof(ngx_mail_ssl_conf_t, certificate_key), 85 offsetof(ngx_mail_ssl_conf_t, certificate_keys),
86 NULL }, 86 NULL },
87 87
88 { ngx_string("ssl_password_file"), 88 { ngx_string("ssl_password_file"),
89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, 89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
90 ngx_mail_ssl_password_file, 90 ngx_mail_ssl_password_file,
236 236
237 /* 237 /*
238 * set by ngx_pcalloc(): 238 * set by ngx_pcalloc():
239 * 239 *
240 * scf->protocols = 0; 240 * scf->protocols = 0;
241 * scf->certificate = { 0, NULL };
242 * scf->certificate_key = { 0, NULL };
243 * scf->dhparam = { 0, NULL }; 241 * scf->dhparam = { 0, NULL };
244 * scf->ecdh_curve = { 0, NULL }; 242 * scf->ecdh_curve = { 0, NULL };
245 * scf->client_certificate = { 0, NULL }; 243 * scf->client_certificate = { 0, NULL };
246 * scf->trusted_certificate = { 0, NULL }; 244 * scf->trusted_certificate = { 0, NULL };
247 * scf->crl = { 0, NULL }; 245 * scf->crl = { 0, NULL };
249 * scf->shm_zone = NULL; 247 * scf->shm_zone = NULL;
250 */ 248 */
251 249
252 scf->enable = NGX_CONF_UNSET; 250 scf->enable = NGX_CONF_UNSET;
253 scf->starttls = NGX_CONF_UNSET_UINT; 251 scf->starttls = NGX_CONF_UNSET_UINT;
252 scf->certificates = NGX_CONF_UNSET_PTR;
253 scf->certificate_keys = NGX_CONF_UNSET_PTR;
254 scf->passwords = NGX_CONF_UNSET_PTR; 254 scf->passwords = NGX_CONF_UNSET_PTR;
255 scf->prefer_server_ciphers = NGX_CONF_UNSET; 255 scf->prefer_server_ciphers = NGX_CONF_UNSET;
256 scf->verify = NGX_CONF_UNSET_UINT; 256 scf->verify = NGX_CONF_UNSET_UINT;
257 scf->verify_depth = NGX_CONF_UNSET_UINT; 257 scf->verify_depth = NGX_CONF_UNSET_UINT;
258 scf->builtin_session_cache = NGX_CONF_UNSET; 258 scf->builtin_session_cache = NGX_CONF_UNSET;
288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); 288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
289 289
290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); 290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); 291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
292 292
293 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); 293 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
294 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); 294 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
295 NULL);
295 296
296 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); 297 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
297 298
298 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); 299 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
299 300
326 conf->line = prev->line; 327 conf->line = prev->line;
327 } 328 }
328 329
329 if (*mode) { 330 if (*mode) {
330 331
331 if (conf->certificate.len == 0) { 332 if (conf->certificates == NULL) {
332 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, 333 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
333 "no \"ssl_certificate\" is defined for " 334 "no \"ssl_certificate\" is defined for "
334 "the \"%s\" directive in %s:%ui", 335 "the \"%s\" directive in %s:%ui",
335 mode, conf->file, conf->line); 336 mode, conf->file, conf->line);
336 return NGX_CONF_ERROR; 337 return NGX_CONF_ERROR;
337 } 338 }
338 339
339 if (conf->certificate_key.len == 0) { 340 if (conf->certificate_keys == NULL) {
340 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, 341 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
341 "no \"ssl_certificate_key\" is defined for " 342 "no \"ssl_certificate_key\" is defined for "
342 "the \"%s\" directive in %s:%ui", 343 "the \"%s\" directive in %s:%ui",
343 mode, conf->file, conf->line); 344 mode, conf->file, conf->line);
344 return NGX_CONF_ERROR; 345 return NGX_CONF_ERROR;
345 } 346 }
346 347
348 if (conf->certificate_keys->nelts < conf->certificates->nelts) {
349 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
350 "no \"ssl_certificate_key\" is defined "
351 "for certificate \"%V\" and "
352 "the \"ssl\" directive in %s:%ui",
353 ((ngx_str_t *) conf->certificates->elts)
354 + conf->certificates->nelts - 1,
355 conf->file, conf->line);
356 return NGX_CONF_ERROR;
357 }
358
347 } else { 359 } else {
348 360
349 if (conf->certificate.len == 0) { 361 if (conf->certificates == NULL) {
350 return NGX_CONF_OK; 362 return NGX_CONF_OK;
351 } 363 }
352 364
353 if (conf->certificate_key.len == 0) { 365 if (conf->certificate_keys == NULL
366 || conf->certificate_keys->nelts < conf->certificates->nelts)
367 {
354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, 368 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
355 "no \"ssl_certificate_key\" is defined " 369 "no \"ssl_certificate_key\" is defined "
356 "for certificate \"%V\"", 370 "for certificate \"%V\"",
357 &conf->certificate); 371 ((ngx_str_t *) conf->certificates->elts)
372 + conf->certificates->nelts - 1);
358 return NGX_CONF_ERROR; 373 return NGX_CONF_ERROR;
359 } 374 }
360 } 375 }
361 376
362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { 377 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
369 } 384 }
370 385
371 cln->handler = ngx_ssl_cleanup_ctx; 386 cln->handler = ngx_ssl_cleanup_ctx;
372 cln->data = &conf->ssl; 387 cln->data = &conf->ssl;
373 388
374 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, 389 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
375 &conf->certificate_key, conf->passwords) 390 conf->certificate_keys, conf->passwords)
376 != NGX_OK) 391 != NGX_OK)
377 { 392 {
378 return NGX_CONF_ERROR; 393 return NGX_CONF_ERROR;
379 } 394 }
380 395