Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 8869:e5a17d6041bd quic
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
In particular, this fixes rejecting "listen .. quic|http3" configurations
without TLSv1.3 configured.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 29 Sep 2021 15:01:53 +0300 |
| parents | fac88e160653 |
| children | 61d0fa67b55e |
comparison
equal
deleted
inserted
replaced
| 8868:5a2080d48da8 | 8869:e5a17d6041bd |
|---|---|
| 1383 | 1383 |
| 1384 cscf = addr[a].default_server; | 1384 cscf = addr[a].default_server; |
| 1385 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1385 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
| 1386 | 1386 |
| 1387 if (sscf->certificates) { | 1387 if (sscf->certificates) { |
| 1388 | |
| 1389 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | |
| 1390 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 1391 "\"ssl_protocols\" must enable TLSv1.3 for " | |
| 1392 "the \"listen ... %s\" directive in %s:%ui", | |
| 1393 name, cscf->file_name, cscf->line); | |
| 1394 return NGX_ERROR; | |
| 1395 } | |
| 1396 | |
| 1388 continue; | 1397 continue; |
| 1389 } | 1398 } |
| 1390 | 1399 |
| 1391 if (!sscf->reject_handshake) { | 1400 if (!sscf->reject_handshake) { |
| 1392 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 1393 "no \"ssl_certificate\" is defined for " | |
| 1394 "the \"listen ... ssl\" directive in %s:%ui", | |
| 1395 cscf->file_name, cscf->line); | |
| 1396 return NGX_ERROR; | |
| 1397 } | |
| 1398 | |
| 1399 /* | |
| 1400 * if no certificates are defined in the default server, | |
| 1401 * check all non-default server blocks | |
| 1402 */ | |
| 1403 | |
| 1404 cscfp = addr[a].servers.elts; | |
| 1405 for (s = 0; s < addr[a].servers.nelts; s++) { | |
| 1406 | |
| 1407 cscf = cscfp[s]; | |
| 1408 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
| 1409 | |
| 1410 if (sscf->certificates || sscf->reject_handshake) { | |
| 1411 continue; | |
| 1412 } | |
| 1413 | |
| 1414 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1401 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 1415 "no \"ssl_certificate\" is defined for " | 1402 "no \"ssl_certificate\" is defined for " |
| 1416 "the \"listen ... %s\" directive in %s:%ui", | 1403 "the \"listen ... %s\" directive in %s:%ui", |
| 1417 name, cscf->file_name, cscf->line); | 1404 name, cscf->file_name, cscf->line); |
| 1418 return NGX_ERROR; | 1405 return NGX_ERROR; |
| 1419 } | 1406 } |
| 1420 | 1407 |
| 1421 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | 1408 /* |
| 1409 * if no certificates are defined in the default server, | |
| 1410 * check all non-default server blocks | |
| 1411 */ | |
| 1412 | |
| 1413 cscfp = addr[a].servers.elts; | |
| 1414 for (s = 0; s < addr[a].servers.nelts; s++) { | |
| 1415 | |
| 1416 cscf = cscfp[s]; | |
| 1417 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
| 1418 | |
| 1419 if (sscf->certificates || sscf->reject_handshake) { | |
| 1420 continue; | |
| 1421 } | |
| 1422 | |
| 1422 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1423 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 1423 "\"ssl_protocols\" did not enable TLSv1.3 for " | 1424 "no \"ssl_certificate\" is defined for " |
| 1424 "the \"listen ... %s\" directives in %s:%ui", | 1425 "the \"listen ... %s\" directive in %s:%ui", |
| 1425 name, cscf->file_name, cscf->line); | 1426 name, cscf->file_name, cscf->line); |
| 1426 return NGX_ERROR; | 1427 return NGX_ERROR; |
| 1427 } | 1428 } |
| 1428 } | 1429 } |
| 1429 } | 1430 } |