Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 5905:2f7e557eab5b
Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock. Requests which failed to acquire
the lock are not allowed to cache the response.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 18 Nov 2014 20:41:12 +0300 |
parents | 42114bf12da0 |
children | ec01b1d1fff1 |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
539 | 15 |
16 | |
1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 19 |
20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
21 void *conf); | |
22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
23 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 27 void *conf); |
539 | 28 |
29 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 34 { ngx_null_string, 0 } |
35 }; | |
36 | |
37 | |
38 | |
1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 45 { ngx_null_string, 0 } |
46 }; | |
47 | |
48 | |
1136 | 49 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 50 |
51 { ngx_string("ssl"), | |
1136 | 52 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
2224 | 53 ngx_mail_ssl_enable, |
1136 | 54 NGX_MAIL_SRV_CONF_OFFSET, |
55 offsetof(ngx_mail_ssl_conf_t, enable), | |
539 | 56 NULL }, |
57 | |
583 | 58 { ngx_string("starttls"), |
1136 | 59 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 60 ngx_mail_ssl_starttls, |
1136 | 61 NGX_MAIL_SRV_CONF_OFFSET, |
62 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
63 ngx_mail_starttls_state }, |
583 | 64 |
539 | 65 { ngx_string("ssl_certificate"), |
1136 | 66 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 67 ngx_conf_set_str_slot, |
1136 | 68 NGX_MAIL_SRV_CONF_OFFSET, |
69 offsetof(ngx_mail_ssl_conf_t, certificate), | |
539 | 70 NULL }, |
71 | |
72 { ngx_string("ssl_certificate_key"), | |
1136 | 73 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 74 ngx_conf_set_str_slot, |
1136 | 75 NGX_MAIL_SRV_CONF_OFFSET, |
76 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
539 | 77 NULL }, |
78 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
79 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
80 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
81 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
82 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
83 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
84 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
85 |
2044 | 86 { ngx_string("ssl_dhparam"), |
87 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
88 ngx_conf_set_str_slot, | |
89 NGX_MAIL_SRV_CONF_OFFSET, | |
90 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
91 NULL }, | |
92 | |
3960 | 93 { ngx_string("ssl_ecdh_curve"), |
94 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
95 ngx_conf_set_str_slot, | |
96 NGX_MAIL_SRV_CONF_OFFSET, | |
97 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
98 NULL }, | |
99 | |
547 | 100 { ngx_string("ssl_protocols"), |
1136 | 101 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 102 ngx_conf_set_bitmask_slot, |
1136 | 103 NGX_MAIL_SRV_CONF_OFFSET, |
104 offsetof(ngx_mail_ssl_conf_t, protocols), | |
105 &ngx_mail_ssl_protocols }, | |
547 | 106 |
539 | 107 { ngx_string("ssl_ciphers"), |
1136 | 108 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 109 ngx_conf_set_str_slot, |
1136 | 110 NGX_MAIL_SRV_CONF_OFFSET, |
111 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 112 NULL }, |
113 | |
547 | 114 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 115 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 116 ngx_conf_set_flag_slot, |
1136 | 117 NGX_MAIL_SRV_CONF_OFFSET, |
118 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 119 NULL }, |
563 | 120 |
976 | 121 { ngx_string("ssl_session_cache"), |
1136 | 122 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
123 ngx_mail_ssl_session_cache, | |
124 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 125 0, |
126 NULL }, | |
127 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
128 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
129 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
130 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
131 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
132 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
133 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
134 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
135 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
136 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
137 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
138 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
139 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
140 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
141 |
573 | 142 { ngx_string("ssl_session_timeout"), |
1136 | 143 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 144 ngx_conf_set_sec_slot, |
1136 | 145 NGX_MAIL_SRV_CONF_OFFSET, |
146 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 147 NULL }, |
547 | 148 |
539 | 149 ngx_null_command |
150 }; | |
151 | |
152 | |
1136 | 153 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
154 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
155 |
539 | 156 NULL, /* create main configuration */ |
157 NULL, /* init main configuration */ | |
158 | |
1136 | 159 ngx_mail_ssl_create_conf, /* create server configuration */ |
160 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 161 }; |
162 | |
163 | |
1136 | 164 ngx_module_t ngx_mail_ssl_module = { |
539 | 165 NGX_MODULE_V1, |
1136 | 166 &ngx_mail_ssl_module_ctx, /* module context */ |
167 ngx_mail_ssl_commands, /* module directives */ | |
168 NGX_MAIL_MODULE, /* module type */ | |
541 | 169 NULL, /* init master */ |
539 | 170 NULL, /* init module */ |
541 | 171 NULL, /* init process */ |
172 NULL, /* init thread */ | |
173 NULL, /* exit thread */ | |
174 NULL, /* exit process */ | |
175 NULL, /* exit master */ | |
176 NGX_MODULE_V1_PADDING | |
539 | 177 }; |
178 | |
179 | |
1136 | 180 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 181 |
182 | |
539 | 183 static void * |
1136 | 184 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 185 { |
1136 | 186 ngx_mail_ssl_conf_t *scf; |
577 | 187 |
1136 | 188 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 189 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
190 return NULL; |
539 | 191 } |
192 | |
193 /* | |
577 | 194 * set by ngx_pcalloc(): |
539 | 195 * |
547 | 196 * scf->protocols = 0; |
2044 | 197 * scf->certificate = { 0, NULL }; |
198 * scf->certificate_key = { 0, NULL }; | |
199 * scf->dhparam = { 0, NULL }; | |
3960 | 200 * scf->ecdh_curve = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
201 * scf->ciphers = { 0, NULL }; |
976 | 202 * scf->shm_zone = NULL; |
539 | 203 */ |
204 | |
205 scf->enable = NGX_CONF_UNSET; | |
2759 | 206 scf->starttls = NGX_CONF_UNSET_UINT; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
207 scf->passwords = NGX_CONF_UNSET_PTR; |
976 | 208 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
209 scf->builtin_session_cache = NGX_CONF_UNSET; | |
573 | 210 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
211 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
212 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 213 |
214 return scf; | |
215 } | |
216 | |
217 | |
218 static char * | |
1136 | 219 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 220 { |
1136 | 221 ngx_mail_ssl_conf_t *prev = parent; |
222 ngx_mail_ssl_conf_t *conf = child; | |
539 | 223 |
2224 | 224 char *mode; |
563 | 225 ngx_pool_cleanup_t *cln; |
226 | |
539 | 227 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
2224 | 228 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
229 NGX_MAIL_STARTTLS_OFF); | |
539 | 230 |
573 | 231 ngx_conf_merge_value(conf->session_timeout, |
232 prev->session_timeout, 300); | |
233 | |
547 | 234 ngx_conf_merge_value(conf->prefer_server_ciphers, |
235 prev->prefer_server_ciphers, 0); | |
236 | |
237 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
238 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
239 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 240 |
2224 | 241 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
242 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
539 | 243 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
244 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
245 |
2044 | 246 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
247 | |
3960 | 248 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
249 NGX_DEFAULT_ECDH_CURVE); | |
250 | |
2124 | 251 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 252 |
253 | |
547 | 254 conf->ssl.log = cf->log; |
539 | 255 |
2224 | 256 if (conf->enable) { |
257 mode = "ssl"; | |
258 | |
259 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
260 mode = "starttls"; | |
261 | |
262 } else { | |
263 mode = ""; | |
264 } | |
265 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
266 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
267 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
268 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
269 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
270 |
2224 | 271 if (*mode) { |
272 | |
273 if (conf->certificate.len == 0) { | |
274 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
275 "no \"ssl_certificate\" is defined for " | |
276 "the \"%s\" directive in %s:%ui", | |
277 mode, conf->file, conf->line); | |
278 return NGX_CONF_ERROR; | |
279 } | |
280 | |
281 if (conf->certificate_key.len == 0) { | |
282 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
283 "no \"ssl_certificate_key\" is defined for " | |
284 "the \"%s\" directive in %s:%ui", | |
285 mode, conf->file, conf->line); | |
286 return NGX_CONF_ERROR; | |
287 } | |
288 | |
289 } else { | |
290 | |
291 if (conf->certificate.len == 0) { | |
292 return NGX_CONF_OK; | |
293 } | |
294 | |
295 if (conf->certificate_key.len == 0) { | |
296 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
297 "no \"ssl_certificate_key\" is defined " | |
298 "for certificate \"%V\"", | |
299 &conf->certificate); | |
300 return NGX_CONF_ERROR; | |
301 } | |
302 } | |
303 | |
969 | 304 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 305 return NGX_CONF_ERROR; |
306 } | |
307 | |
563 | 308 cln = ngx_pool_cleanup_add(cf->pool, 0); |
309 if (cln == NULL) { | |
539 | 310 return NGX_CONF_ERROR; |
311 } | |
312 | |
563 | 313 cln->handler = ngx_ssl_cleanup_ctx; |
314 cln->data = &conf->ssl; | |
315 | |
316 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
317 &conf->certificate_key, conf->passwords) |
563 | 318 != NGX_OK) |
547 | 319 { |
320 return NGX_CONF_ERROR; | |
321 } | |
539 | 322 |
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
323 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
324 (const char *) conf->ciphers.data) |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
325 == 0) |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
326 { |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
327 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
328 "SSL_CTX_set_cipher_list(\"%V\") failed", |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
329 &conf->ciphers); |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
330 return NGX_CONF_ERROR; |
539 | 331 } |
332 | |
563 | 333 if (conf->prefer_server_ciphers) { |
334 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
335 } | |
336 | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
337 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
539 | 338 |
2044 | 339 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
340 return NGX_CONF_ERROR; | |
341 } | |
342 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
343 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
344 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
345 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
346 |
976 | 347 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 348 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 349 |
350 if (conf->shm_zone == NULL) { | |
351 conf->shm_zone = prev->shm_zone; | |
352 } | |
539 | 353 |
1136 | 354 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
976 | 355 conf->builtin_session_cache, |
356 conf->shm_zone, conf->session_timeout) | |
357 != NGX_OK) | |
358 { | |
359 return NGX_CONF_ERROR; | |
360 } | |
573 | 361 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
362 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
363 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
364 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
365 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
366 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
367 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
368 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
369 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
370 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
371 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
372 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
373 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
374 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
375 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
376 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
377 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
378 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
379 |
539 | 380 return NGX_CONF_OK; |
381 } | |
563 | 382 |
577 | 383 |
976 | 384 static char * |
2224 | 385 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
386 { | |
387 ngx_mail_ssl_conf_t *scf = conf; | |
388 | |
389 char *rv; | |
390 | |
391 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
392 | |
393 if (rv != NGX_CONF_OK) { | |
394 return rv; | |
395 } | |
396 | |
397 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
398 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
399 "\"starttls\" directive conflicts with \"ssl on\""); | |
400 return NGX_CONF_ERROR; | |
401 } | |
402 | |
403 scf->file = cf->conf_file->file.name.data; | |
404 scf->line = cf->conf_file->line; | |
405 | |
406 return NGX_CONF_OK; | |
407 } | |
408 | |
409 | |
410 static char * | |
411 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
412 { | |
413 ngx_mail_ssl_conf_t *scf = conf; | |
414 | |
415 char *rv; | |
416 | |
417 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
418 | |
419 if (rv != NGX_CONF_OK) { | |
420 return rv; | |
421 } | |
422 | |
423 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
424 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
425 "\"ssl\" directive conflicts with \"starttls\""); | |
426 return NGX_CONF_ERROR; | |
427 } | |
428 | |
429 scf->file = cf->conf_file->file.name.data; | |
430 scf->line = cf->conf_file->line; | |
431 | |
432 return NGX_CONF_OK; | |
433 } | |
434 | |
435 | |
436 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
437 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
438 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
439 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
440 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
441 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
442 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
443 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
444 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
445 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
446 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
447 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
448 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
449 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
450 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
451 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
452 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
453 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
454 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
455 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
456 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
457 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
458 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
459 static char * |
1136 | 460 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 461 { |
1136 | 462 ngx_mail_ssl_conf_t *scf = conf; |
976 | 463 |
464 size_t len; | |
465 ngx_str_t *value, name, size; | |
466 ngx_int_t n; | |
467 ngx_uint_t i, j; | |
468 | |
469 value = cf->args->elts; | |
470 | |
471 for (i = 1; i < cf->args->nelts; i++) { | |
472 | |
1778 | 473 if (ngx_strcmp(value[i].data, "off") == 0) { |
474 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
475 continue; | |
476 } | |
477 | |
2032 | 478 if (ngx_strcmp(value[i].data, "none") == 0) { |
479 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
480 continue; | |
481 } | |
482 | |
976 | 483 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
484 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
485 continue; | |
486 } | |
487 | |
488 if (value[i].len > sizeof("builtin:") - 1 | |
489 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
490 == 0) | |
491 { | |
492 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
493 value[i].len - (sizeof("builtin:") - 1)); | |
494 | |
495 if (n == NGX_ERROR) { | |
496 goto invalid; | |
497 } | |
498 | |
499 scf->builtin_session_cache = n; | |
500 | |
501 continue; | |
502 } | |
503 | |
504 if (value[i].len > sizeof("shared:") - 1 | |
505 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
506 == 0) | |
507 { | |
508 len = 0; | |
509 | |
510 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
511 if (value[i].data[j] == ':') { | |
512 break; | |
513 } | |
514 | |
515 len++; | |
516 } | |
517 | |
518 if (len == 0) { | |
519 goto invalid; | |
520 } | |
521 | |
522 name.len = len; | |
523 name.data = value[i].data + sizeof("shared:") - 1; | |
524 | |
525 size.len = value[i].len - j - 1; | |
526 size.data = name.data + len + 1; | |
527 | |
528 n = ngx_parse_size(&size); | |
529 | |
530 if (n == NGX_ERROR) { | |
531 goto invalid; | |
532 } | |
533 | |
534 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
535 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
536 "session cache \"%V\" is too small", | |
537 &value[i]); | |
538 | |
539 return NGX_CONF_ERROR; | |
540 } | |
541 | |
542 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 543 &ngx_mail_ssl_module); |
976 | 544 if (scf->shm_zone == NULL) { |
545 return NGX_CONF_ERROR; | |
546 } | |
547 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
548 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
549 |
976 | 550 continue; |
551 } | |
552 | |
553 goto invalid; | |
554 } | |
555 | |
556 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
557 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
558 } | |
559 | |
560 return NGX_CONF_OK; | |
561 | |
562 invalid: | |
563 | |
564 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
565 "invalid session cache \"%V\"", &value[i]); | |
566 | |
567 return NGX_CONF_ERROR; | |
568 } |