Mercurial > hg > nginx

diff src/http/ngx_http_request.c @ 4245:8d39230df833 stable-1.0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merging r4034, r4186, r4187, r4229, r4235, r4237: SSL related fixes: *) Better handling of various per-server ssl options with SNI. SSL_set_SSL_CTX() doesn't touch values cached within ssl connection structure, it only changes certificates (at least as of now, OpenSSL 1.0.0d and earlier). As a result settings like ssl_verify_client, ssl_verify_depth, ssl_prefer_server_ciphers are only configurable on per-socket basis while with SNI it should be possible to specify them different for two servers listening on the same socket. Workaround is to explicitly re-apply settings we care about from context to ssl connection in servername callback. Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e. with older versions it is not possible to clear ssl_prefer_server_ciphers option if it's set in default server for a socket. *) Disabling SSL compression. This saves about 300K per SSL connection. The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0. *) Releasing memory of idle SSL connection. This saves about 34K per SSL connection. The SSL_MODE_RELEASE_BUFFERS option is available since OpenSSL 1.0.0d. *) Decrease of log level of some SSL handshake errors. *) Fixed segfault on configuration testing with ssl (ticket #37). The following config caused segmentation fault due to conf->file not being properly set if "ssl on" was inherited from the http level: http { ssl on; server { } } *) Silently ignoring a stale global SSL error left after disabled renegotiation.
author Igor Sysoev <igor@sysoev.ru>
date Tue, 01 Nov 2011 13:00:30 +0000
parents 795761886688
children 35861ba428d1
line wrap: on
line diff
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -673,6 +673,24 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 
     SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
 
+    /*
+     * SSL_set_SSL_CTX() only changes certs as of 1.0.0d
+     * adjust other things we care about
+     */
+
+    SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
+                   SSL_CTX_get_verify_callback(sscf->ssl.ctx));
+
+    SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
+
+#ifdef SSL_CTRL_CLEAR_OPTIONS
+    /* only in 0.9.8m+ */
+    SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
+                                ~SSL_CTX_get_options(sscf->ssl.ctx));
+#endif
+
+    SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
+
     return SSL_TLSEXT_ERR_OK;
 }