Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_ssl_module.c @ 7815:0f9e9786b90d quic
Added primitive flow control mechanisms.
+ MAX_STREAM_DATA frame is sent when recv() is performed on stream
The new value is a sum of total bytes received by stream + free
space in a buffer;
The sending of MAX_STREM_DATA frame in response to STREAM_DATA_BLOCKED
frame is adjusted to follow the same logic as above.
+ MAX_DATA frame is sent when total amount of received data is 2x
of current limit. The limit is doubled.
+ Default values of transport parameters are adjusted to more meaningful
values:
initial stream limits are set to quic buffer size instead of
unrealistically small 255.
initial max data is decreased to 16 buffer sizes, in an assumption that
this is enough for a relatively short connection, instead of randomly
chosen big number.
All this allows to initiate a stable flow of streams that does not block
on stream/connection limits (tested with FF 77.0a1 and 100K requests)
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 15 Apr 2020 18:54:03 +0300 |
parents | ef7ee19776db |
children | 3bff3f397c05 |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
27 #endif |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
28 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
30 #endif |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
32 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
33 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
34 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
35 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
36 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 37 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
38 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
39 void *child); | |
40 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
41 static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
42 ngx_stream_ssl_conf_t *conf); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
43 |
6115 | 44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
45 void *conf); | |
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
47 void *conf); | |
6693 | 48 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 49 |
50 | |
51 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
52 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
53 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
54 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
55 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
56 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
57 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
6115 | 58 { ngx_null_string, 0 } |
59 }; | |
60 | |
61 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
62 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
63 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
64 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
65 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
66 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
67 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
68 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
69 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
70 |
6115 | 71 static ngx_command_t ngx_stream_ssl_commands[] = { |
72 | |
73 { ngx_string("ssl_handshake_timeout"), | |
74 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
75 ngx_conf_set_msec_slot, | |
76 NGX_STREAM_SRV_CONF_OFFSET, | |
77 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
78 NULL }, | |
79 | |
80 { ngx_string("ssl_certificate"), | |
81 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
82 ngx_conf_set_str_array_slot, |
6115 | 83 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
84 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 85 NULL }, |
86 | |
87 { ngx_string("ssl_certificate_key"), | |
88 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
89 ngx_conf_set_str_array_slot, |
6115 | 90 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
91 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 92 NULL }, |
93 | |
94 { ngx_string("ssl_password_file"), | |
95 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
96 ngx_stream_ssl_password_file, | |
97 NGX_STREAM_SRV_CONF_OFFSET, | |
98 0, | |
99 NULL }, | |
100 | |
101 { ngx_string("ssl_dhparam"), | |
102 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
103 ngx_conf_set_str_slot, | |
104 NGX_STREAM_SRV_CONF_OFFSET, | |
105 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
106 NULL }, | |
107 | |
108 { ngx_string("ssl_ecdh_curve"), | |
109 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
110 ngx_conf_set_str_slot, | |
111 NGX_STREAM_SRV_CONF_OFFSET, | |
112 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
113 NULL }, | |
114 | |
115 { ngx_string("ssl_protocols"), | |
116 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
117 ngx_conf_set_bitmask_slot, | |
118 NGX_STREAM_SRV_CONF_OFFSET, | |
119 offsetof(ngx_stream_ssl_conf_t, protocols), | |
120 &ngx_stream_ssl_protocols }, | |
121 | |
122 { ngx_string("ssl_ciphers"), | |
123 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
124 ngx_conf_set_str_slot, | |
125 NGX_STREAM_SRV_CONF_OFFSET, | |
126 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
127 NULL }, | |
128 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
129 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
130 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
131 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
132 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
133 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
134 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
135 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
136 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
148 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
149 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
150 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
151 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
152 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
153 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
154 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
155 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
156 |
6115 | 157 { ngx_string("ssl_prefer_server_ciphers"), |
158 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
159 ngx_conf_set_flag_slot, | |
160 NGX_STREAM_SRV_CONF_OFFSET, | |
161 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
162 NULL }, | |
163 | |
164 { ngx_string("ssl_session_cache"), | |
165 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
166 ngx_stream_ssl_session_cache, | |
167 NGX_STREAM_SRV_CONF_OFFSET, | |
168 0, | |
169 NULL }, | |
170 | |
171 { ngx_string("ssl_session_tickets"), | |
172 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
173 ngx_conf_set_flag_slot, | |
174 NGX_STREAM_SRV_CONF_OFFSET, | |
175 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
176 NULL }, | |
177 | |
178 { ngx_string("ssl_session_ticket_key"), | |
179 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
180 ngx_conf_set_str_array_slot, | |
181 NGX_STREAM_SRV_CONF_OFFSET, | |
182 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
183 NULL }, | |
184 | |
185 { ngx_string("ssl_session_timeout"), | |
186 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
187 ngx_conf_set_sec_slot, | |
188 NGX_STREAM_SRV_CONF_OFFSET, | |
189 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
190 NULL }, | |
191 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
192 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
193 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
194 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
195 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
196 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
197 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
198 |
6115 | 199 ngx_null_command |
200 }; | |
201 | |
202 | |
203 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
204 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 205 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
206 |
6115 | 207 NULL, /* create main configuration */ |
208 NULL, /* init main configuration */ | |
209 | |
210 ngx_stream_ssl_create_conf, /* create server configuration */ | |
211 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
212 }; | |
213 | |
214 | |
215 ngx_module_t ngx_stream_ssl_module = { | |
216 NGX_MODULE_V1, | |
217 &ngx_stream_ssl_module_ctx, /* module context */ | |
218 ngx_stream_ssl_commands, /* module directives */ | |
219 NGX_STREAM_MODULE, /* module type */ | |
220 NULL, /* init master */ | |
221 NULL, /* init module */ | |
222 NULL, /* init process */ | |
223 NULL, /* init thread */ | |
224 NULL, /* exit thread */ | |
225 NULL, /* exit process */ | |
226 NULL, /* exit master */ | |
227 NGX_MODULE_V1_PADDING | |
228 }; | |
229 | |
230 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
231 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
232 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
233 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
234 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
235 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
236 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
237 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
238 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
239 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
240 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
241 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
242 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
243 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
244 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
245 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
246 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
247 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
248 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
249 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
250 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
251 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
252 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
253 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
254 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
255 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
256 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
257 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
258 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
259 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
260 |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
261 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
262 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
263 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
264 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
265 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
266 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
267 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
268 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
275 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
276 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
277 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
278 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
279 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
280 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
281 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
282 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
283 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
284 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
285 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
286 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
287 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
288 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
289 ngx_stream_null_variable |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
290 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
291 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
292 |
6115 | 293 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
294 | |
295 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
296 static ngx_int_t |
6693 | 297 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
298 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
299 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
300 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
301 ngx_int_t rv; |
6693 | 302 ngx_connection_t *c; |
303 ngx_stream_ssl_conf_t *sslcf; | |
304 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
305 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
306 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
307 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
308 |
6693 | 309 c = s->connection; |
310 | |
311 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
312 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
313 if (c->ssl == NULL) { |
6693 | 314 c->log->action = "SSL handshaking"; |
315 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
316 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
317 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
318 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
319 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
320 } |
6693 | 321 } |
322 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
324 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
325 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
326 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
327 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
328 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
329 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
330 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
331 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
333 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
334 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
336 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
337 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
345 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
346 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
347 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
348 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
349 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
350 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
351 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
352 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
353 |
6693 | 354 return NGX_OK; |
355 } | |
356 | |
357 | |
358 static ngx_int_t | |
359 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
360 { | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
361 ngx_int_t rc; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
362 ngx_stream_session_t *s; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
363 ngx_stream_ssl_conf_t *sslcf; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
364 ngx_stream_core_srv_conf_t *cscf; |
6693 | 365 |
366 s = c->data; | |
367 | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
368 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
369 |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
370 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
371 return NGX_ERROR; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
372 } |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
373 |
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
374 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
6693 | 375 return NGX_ERROR; |
376 } | |
377 | |
378 rc = ngx_ssl_handshake(c); | |
379 | |
380 if (rc == NGX_ERROR) { | |
381 return NGX_ERROR; | |
382 } | |
383 | |
384 if (rc == NGX_AGAIN) { | |
385 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
386 | |
387 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
388 | |
389 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
390 | |
391 return NGX_AGAIN; | |
392 } | |
393 | |
394 /* rc == NGX_OK */ | |
395 | |
396 return NGX_OK; | |
397 } | |
398 | |
399 | |
400 static void | |
401 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
402 { | |
403 ngx_stream_session_t *s; | |
404 | |
405 s = c->data; | |
406 | |
407 if (!c->ssl->handshaked) { | |
408 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
409 return; | |
410 } | |
411 | |
412 if (c->read->timer_set) { | |
413 ngx_del_timer(c->read); | |
414 } | |
415 | |
416 ngx_stream_core_run_phases(s); | |
417 } | |
418 | |
419 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
420 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
421 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
422 int |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
423 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
424 { |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
425 return SSL_TLSEXT_ERR_OK; |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
426 } |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
427 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
428 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
429 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
430 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
431 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
432 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
433 int |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
434 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
435 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
436 ngx_str_t cert, key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
437 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
438 ngx_connection_t *c; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
439 ngx_stream_session_t *s; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
440 ngx_stream_ssl_conf_t *sslcf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
441 ngx_stream_complex_value_t *certs, *keys; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
442 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
443 c = ngx_ssl_get_connection(ssl_conn); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
444 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
445 if (c->ssl->handshaked) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
446 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
447 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
448 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
449 s = c->data; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
450 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
451 sslcf = arg; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
452 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
453 nelts = sslcf->certificate_values->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
454 certs = sslcf->certificate_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
455 keys = sslcf->certificate_key_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
456 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
457 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
458 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
459 if (ngx_stream_complex_value(s, &certs[i], &cert) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
460 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
461 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
462 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
463 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
464 "ssl cert: \"%s\"", cert.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
465 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
466 if (ngx_stream_complex_value(s, &keys[i], &key) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
467 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
468 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
469 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
470 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
471 "ssl key: \"%s\"", key.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
472 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
473 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
474 sslcf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
475 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
476 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
477 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
478 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
479 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
480 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
481 return 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
482 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
483 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
484 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
485 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
486 |
6693 | 487 static ngx_int_t |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
488 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
489 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
490 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
491 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
492 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
493 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
494 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
495 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
496 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
497 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
498 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
499 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
500 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
501 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
502 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
503 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
504 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
505 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
506 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
507 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
508 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
509 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
510 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
511 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
512 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
513 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
514 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
515 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
516 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
517 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
518 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
519 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
520 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
521 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
522 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
523 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
524 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
525 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
526 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
527 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
528 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
529 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
530 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
531 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
532 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
533 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
534 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
535 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
536 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
537 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
538 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
539 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
540 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
541 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
542 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
543 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
544 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
545 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
546 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
547 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
548 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
549 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
550 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
551 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
552 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
553 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
554 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
555 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
556 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
557 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
558 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
559 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
560 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
561 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
562 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
563 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
564 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
565 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
566 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
567 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
568 |
6115 | 569 static void * |
570 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
571 { | |
572 ngx_stream_ssl_conf_t *scf; | |
573 | |
574 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
575 if (scf == NULL) { | |
576 return NULL; | |
577 } | |
578 | |
579 /* | |
580 * set by ngx_pcalloc(): | |
581 * | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
582 * scf->listen = 0; |
6115 | 583 * scf->protocols = 0; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
584 * scf->certificate_values = NULL; |
6115 | 585 * scf->dhparam = { 0, NULL }; |
586 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
587 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
588 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
589 * scf->crl = { 0, NULL }; |
6115 | 590 * scf->ciphers = { 0, NULL }; |
591 * scf->shm_zone = NULL; | |
592 */ | |
593 | |
594 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
595 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
596 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 597 scf->passwords = NGX_CONF_UNSET_PTR; |
598 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
599 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
600 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 601 scf->builtin_session_cache = NGX_CONF_UNSET; |
602 scf->session_timeout = NGX_CONF_UNSET; | |
603 scf->session_tickets = NGX_CONF_UNSET; | |
604 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
605 | |
606 return scf; | |
607 } | |
608 | |
609 | |
610 static char * | |
611 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
612 { | |
613 ngx_stream_ssl_conf_t *prev = parent; | |
614 ngx_stream_ssl_conf_t *conf = child; | |
615 | |
616 ngx_pool_cleanup_t *cln; | |
617 | |
618 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
619 prev->handshake_timeout, 60000); | |
620 | |
621 ngx_conf_merge_value(conf->session_timeout, | |
622 prev->session_timeout, 300); | |
623 | |
624 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
625 prev->prefer_server_ciphers, 0); | |
626 | |
627 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
628 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 629 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
630 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
631 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
632 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
633 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
634 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
635 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
636 NULL); |
6115 | 637 |
638 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
639 | |
640 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
641 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
642 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
643 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
644 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
645 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
646 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
647 |
6115 | 648 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
649 NGX_DEFAULT_ECDH_CURVE); | |
650 | |
651 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
652 | |
653 | |
654 conf->ssl.log = cf->log; | |
655 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
656 if (!conf->listen) { |
6115 | 657 return NGX_CONF_OK; |
658 } | |
659 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
660 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
661 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
662 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
663 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
664 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
665 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
666 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
667 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
668 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
669 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
670 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
671 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
672 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
673 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
674 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
675 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
676 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
6115 | 677 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
678 "no \"ssl_certificate_key\" is defined " | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
679 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
680 "the \"listen ... ssl\" directive in %s:%ui", |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
681 ((ngx_str_t *) conf->certificates->elts) |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
682 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
683 conf->file, conf->line); |
6115 | 684 return NGX_CONF_ERROR; |
685 } | |
686 | |
687 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
688 return NGX_CONF_ERROR; | |
689 } | |
690 | |
691 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
692 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7471
diff
changeset
|
693 ngx_ssl_cleanup_ctx(&conf->ssl); |
6115 | 694 return NGX_CONF_ERROR; |
695 } | |
696 | |
697 cln->handler = ngx_ssl_cleanup_ctx; | |
698 cln->data = &conf->ssl; | |
699 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
700 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
701 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
702 ngx_stream_ssl_servername); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
703 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
704 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
705 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
6115 | 706 return NGX_CONF_ERROR; |
707 } | |
708 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
709 if (conf->certificate_values) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
710 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
711 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
712 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
713 /* install callback to lookup certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
714 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
715 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf); |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
716 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
717 #else |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
718 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
719 "variables in " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
720 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
721 "directives are not supported on this platform"); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
722 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
723 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
724 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
725 } else { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
726 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
727 /* configure certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
728 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
729 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
730 conf->certificate_keys, conf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
731 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
732 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
733 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
734 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
735 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
736 |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
737 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
738 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
739 != NGX_OK) |
6115 | 740 { |
741 return NGX_CONF_ERROR; | |
742 } | |
743 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
744 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
745 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
746 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
747 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
748 "no ssl_client_certificate for ssl_verify_client"); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
749 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
750 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
751 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
752 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
753 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
754 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
755 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
756 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
757 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
758 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
759 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
760 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
761 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
762 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
763 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
764 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
765 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
766 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
767 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
768 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
769 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
770 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
771 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
772 |
6115 | 773 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
774 return NGX_CONF_ERROR; | |
775 } | |
776 | |
777 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
778 return NGX_CONF_ERROR; | |
779 } | |
780 | |
781 ngx_conf_merge_value(conf->builtin_session_cache, | |
782 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
783 | |
784 if (conf->shm_zone == NULL) { | |
785 conf->shm_zone = prev->shm_zone; | |
786 } | |
787 | |
788 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7464
diff
changeset
|
789 conf->certificates, conf->builtin_session_cache, |
6115 | 790 conf->shm_zone, conf->session_timeout) |
791 != NGX_OK) | |
792 { | |
793 return NGX_CONF_ERROR; | |
794 } | |
795 | |
796 ngx_conf_merge_value(conf->session_tickets, | |
797 prev->session_tickets, 1); | |
798 | |
799 #ifdef SSL_OP_NO_TICKET | |
800 if (!conf->session_tickets) { | |
801 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
802 } | |
803 #endif | |
804 | |
805 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
806 prev->session_ticket_keys, NULL); | |
807 | |
808 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
809 != NGX_OK) | |
810 { | |
811 return NGX_CONF_ERROR; | |
812 } | |
813 | |
814 return NGX_CONF_OK; | |
815 } | |
816 | |
817 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
818 static ngx_int_t |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
819 ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
820 ngx_stream_ssl_conf_t *conf) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
821 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
822 ngx_str_t *cert, *key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
823 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
824 ngx_stream_complex_value_t *cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
825 ngx_stream_compile_complex_value_t ccv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
826 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
827 cert = conf->certificates->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
828 key = conf->certificate_keys->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
829 nelts = conf->certificates->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
830 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
831 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
832 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
833 if (ngx_stream_script_variables_count(&cert[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
834 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
835 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
836 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
837 if (ngx_stream_script_variables_count(&key[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
838 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
839 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
840 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
841 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
842 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
843 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
844 found: |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
845 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
846 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
847 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
848 if (conf->certificate_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
849 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
850 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
851 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
852 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
853 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
854 if (conf->certificate_key_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
855 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
856 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
857 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
858 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
859 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
860 cv = ngx_array_push(conf->certificate_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
861 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
862 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
863 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
864 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
865 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
866 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
867 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
868 ccv.value = &cert[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
869 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
870 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
871 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
872 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
873 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
874 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
875 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
876 cv = ngx_array_push(conf->certificate_key_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
877 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
878 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
879 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
880 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
881 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
882 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
883 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
884 ccv.value = &key[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
885 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
886 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
887 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
888 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
889 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
890 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
891 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
892 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
893 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
894 if (conf->passwords == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
895 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
896 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
897 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
898 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
899 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
900 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
901 |
6115 | 902 static char * |
903 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
904 { | |
905 ngx_stream_ssl_conf_t *scf = conf; | |
906 | |
907 ngx_str_t *value; | |
908 | |
909 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
910 return "is duplicate"; | |
911 } | |
912 | |
913 value = cf->args->elts; | |
914 | |
915 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
916 | |
917 if (scf->passwords == NULL) { | |
918 return NGX_CONF_ERROR; | |
919 } | |
920 | |
921 return NGX_CONF_OK; | |
922 } | |
923 | |
924 | |
925 static char * | |
926 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
927 { | |
928 ngx_stream_ssl_conf_t *scf = conf; | |
929 | |
930 size_t len; | |
931 ngx_str_t *value, name, size; | |
932 ngx_int_t n; | |
933 ngx_uint_t i, j; | |
934 | |
935 value = cf->args->elts; | |
936 | |
937 for (i = 1; i < cf->args->nelts; i++) { | |
938 | |
939 if (ngx_strcmp(value[i].data, "off") == 0) { | |
940 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
941 continue; | |
942 } | |
943 | |
944 if (ngx_strcmp(value[i].data, "none") == 0) { | |
945 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
946 continue; | |
947 } | |
948 | |
949 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
950 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
951 continue; | |
952 } | |
953 | |
954 if (value[i].len > sizeof("builtin:") - 1 | |
955 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
956 == 0) | |
957 { | |
958 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
959 value[i].len - (sizeof("builtin:") - 1)); | |
960 | |
961 if (n == NGX_ERROR) { | |
962 goto invalid; | |
963 } | |
964 | |
965 scf->builtin_session_cache = n; | |
966 | |
967 continue; | |
968 } | |
969 | |
970 if (value[i].len > sizeof("shared:") - 1 | |
971 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
972 == 0) | |
973 { | |
974 len = 0; | |
975 | |
976 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
977 if (value[i].data[j] == ':') { | |
978 break; | |
979 } | |
980 | |
981 len++; | |
982 } | |
983 | |
984 if (len == 0) { | |
985 goto invalid; | |
986 } | |
987 | |
988 name.len = len; | |
989 name.data = value[i].data + sizeof("shared:") - 1; | |
990 | |
991 size.len = value[i].len - j - 1; | |
992 size.data = name.data + len + 1; | |
993 | |
994 n = ngx_parse_size(&size); | |
995 | |
996 if (n == NGX_ERROR) { | |
997 goto invalid; | |
998 } | |
999 | |
1000 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1001 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1002 "session cache \"%V\" is too small", | |
1003 &value[i]); | |
1004 | |
1005 return NGX_CONF_ERROR; | |
1006 } | |
1007 | |
1008 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1009 &ngx_stream_ssl_module); | |
1010 if (scf->shm_zone == NULL) { | |
1011 return NGX_CONF_ERROR; | |
1012 } | |
1013 | |
1014 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
1015 | |
1016 continue; | |
1017 } | |
1018 | |
1019 goto invalid; | |
1020 } | |
1021 | |
1022 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
1023 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
1024 } | |
1025 | |
1026 return NGX_CONF_OK; | |
1027 | |
1028 invalid: | |
1029 | |
1030 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1031 "invalid session cache \"%V\"", &value[i]); | |
1032 | |
1033 return NGX_CONF_ERROR; | |
1034 } | |
6693 | 1035 |
1036 | |
1037 static ngx_int_t | |
1038 ngx_stream_ssl_init(ngx_conf_t *cf) | |
1039 { | |
1040 ngx_stream_handler_pt *h; | |
1041 ngx_stream_core_main_conf_t *cmcf; | |
1042 | |
1043 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
1044 | |
1045 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
1046 if (h == NULL) { | |
1047 return NGX_ERROR; | |
1048 } | |
1049 | |
1050 *h = ngx_stream_ssl_handler; | |
1051 | |
1052 return NGX_OK; | |
1053 } |