Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 5396:42f874c0b970
Mail: added session close on smtp_greeting_delay violation.
A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss. Moreover, further commands
were accepted after the greeting.
While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 30 Sep 2013 22:09:50 +0400 |
| parents | 0fbcfab0bfd7 |
| children | 09fc4598fc8e |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
| 14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
| 1136 | 24 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 25 void *conf); |
| 539 | 26 |
| 27 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
28 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 29 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 30 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 31 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 32 { ngx_null_string, 0 } |
| 33 }; | |
| 34 | |
| 35 | |
| 36 | |
| 1136 | 37 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| 547 | 43 { ngx_null_string, 0 } |
| 44 }; | |
| 45 | |
| 46 | |
| 1136 | 47 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 48 |
| 49 { ngx_string("ssl"), | |
| 1136 | 50 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 51 ngx_mail_ssl_enable, |
| 1136 | 52 NGX_MAIL_SRV_CONF_OFFSET, |
| 53 offsetof(ngx_mail_ssl_conf_t, enable), | |
| 539 | 54 NULL }, |
| 55 | |
| 583 | 56 { ngx_string("starttls"), |
| 1136 | 57 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 58 ngx_mail_ssl_starttls, |
| 1136 | 59 NGX_MAIL_SRV_CONF_OFFSET, |
| 60 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
61 ngx_mail_starttls_state }, |
| 583 | 62 |
| 539 | 63 { ngx_string("ssl_certificate"), |
| 1136 | 64 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 65 ngx_conf_set_str_slot, |
| 1136 | 66 NGX_MAIL_SRV_CONF_OFFSET, |
| 67 offsetof(ngx_mail_ssl_conf_t, certificate), | |
| 539 | 68 NULL }, |
| 69 | |
| 70 { ngx_string("ssl_certificate_key"), | |
| 1136 | 71 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 72 ngx_conf_set_str_slot, |
| 1136 | 73 NGX_MAIL_SRV_CONF_OFFSET, |
| 74 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
| 539 | 75 NULL }, |
| 76 | |
| 2044 | 77 { ngx_string("ssl_dhparam"), |
| 78 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 79 ngx_conf_set_str_slot, | |
| 80 NGX_MAIL_SRV_CONF_OFFSET, | |
| 81 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 82 NULL }, | |
| 83 | |
| 3960 | 84 { ngx_string("ssl_ecdh_curve"), |
| 85 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 86 ngx_conf_set_str_slot, | |
| 87 NGX_MAIL_SRV_CONF_OFFSET, | |
| 88 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 89 NULL }, | |
| 90 | |
| 547 | 91 { ngx_string("ssl_protocols"), |
| 1136 | 92 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 93 ngx_conf_set_bitmask_slot, |
| 1136 | 94 NGX_MAIL_SRV_CONF_OFFSET, |
| 95 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 96 &ngx_mail_ssl_protocols }, | |
| 547 | 97 |
| 539 | 98 { ngx_string("ssl_ciphers"), |
| 1136 | 99 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 100 ngx_conf_set_str_slot, |
| 1136 | 101 NGX_MAIL_SRV_CONF_OFFSET, |
| 102 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 103 NULL }, |
| 104 | |
| 547 | 105 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 106 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 107 ngx_conf_set_flag_slot, |
| 1136 | 108 NGX_MAIL_SRV_CONF_OFFSET, |
| 109 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 110 NULL }, |
| 563 | 111 |
| 976 | 112 { ngx_string("ssl_session_cache"), |
| 1136 | 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 114 ngx_mail_ssl_session_cache, | |
| 115 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 116 0, |
| 117 NULL }, | |
| 118 | |
| 573 | 119 { ngx_string("ssl_session_timeout"), |
| 1136 | 120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 121 ngx_conf_set_sec_slot, |
| 1136 | 122 NGX_MAIL_SRV_CONF_OFFSET, |
| 123 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 124 NULL }, |
| 547 | 125 |
| 539 | 126 ngx_null_command |
| 127 }; | |
| 128 | |
| 129 | |
| 1136 | 130 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
131 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
132 |
| 539 | 133 NULL, /* create main configuration */ |
| 134 NULL, /* init main configuration */ | |
| 135 | |
| 1136 | 136 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 137 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 138 }; |
| 139 | |
| 140 | |
| 1136 | 141 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 142 NGX_MODULE_V1, |
| 1136 | 143 &ngx_mail_ssl_module_ctx, /* module context */ |
| 144 ngx_mail_ssl_commands, /* module directives */ | |
| 145 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 146 NULL, /* init master */ |
| 539 | 147 NULL, /* init module */ |
| 541 | 148 NULL, /* init process */ |
| 149 NULL, /* init thread */ | |
| 150 NULL, /* exit thread */ | |
| 151 NULL, /* exit process */ | |
| 152 NULL, /* exit master */ | |
| 153 NGX_MODULE_V1_PADDING | |
| 539 | 154 }; |
| 155 | |
| 156 | |
| 1136 | 157 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 158 |
| 159 | |
| 539 | 160 static void * |
| 1136 | 161 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 162 { |
| 1136 | 163 ngx_mail_ssl_conf_t *scf; |
| 577 | 164 |
| 1136 | 165 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 166 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
167 return NULL; |
| 539 | 168 } |
| 169 | |
| 170 /* | |
| 577 | 171 * set by ngx_pcalloc(): |
| 539 | 172 * |
| 547 | 173 * scf->protocols = 0; |
| 2044 | 174 * scf->certificate = { 0, NULL }; |
| 175 * scf->certificate_key = { 0, NULL }; | |
| 176 * scf->dhparam = { 0, NULL }; | |
| 3960 | 177 * scf->ecdh_curve = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
178 * scf->ciphers = { 0, NULL }; |
| 976 | 179 * scf->shm_zone = NULL; |
| 539 | 180 */ |
| 181 | |
| 182 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 183 scf->starttls = NGX_CONF_UNSET_UINT; |
| 976 | 184 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 185 scf->builtin_session_cache = NGX_CONF_UNSET; | |
| 573 | 186 scf->session_timeout = NGX_CONF_UNSET; |
| 539 | 187 |
| 188 return scf; | |
| 189 } | |
| 190 | |
| 191 | |
| 192 static char * | |
| 1136 | 193 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 194 { |
| 1136 | 195 ngx_mail_ssl_conf_t *prev = parent; |
| 196 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 197 |
| 2224 | 198 char *mode; |
| 563 | 199 ngx_pool_cleanup_t *cln; |
| 200 | |
| 539 | 201 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 202 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 203 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 204 |
| 573 | 205 ngx_conf_merge_value(conf->session_timeout, |
| 206 prev->session_timeout, 300); | |
| 207 | |
| 547 | 208 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 209 prev->prefer_server_ciphers, 0); | |
| 210 | |
| 211 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
212 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
213 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 214 |
| 2224 | 215 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
| 216 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
| 539 | 217 |
| 2044 | 218 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 219 | |
| 3960 | 220 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 221 NGX_DEFAULT_ECDH_CURVE); | |
| 222 | |
| 2124 | 223 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 224 |
| 225 | |
| 547 | 226 conf->ssl.log = cf->log; |
| 539 | 227 |
| 2224 | 228 if (conf->enable) { |
| 229 mode = "ssl"; | |
| 230 | |
| 231 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 232 mode = "starttls"; | |
| 233 | |
| 234 } else { | |
| 235 mode = ""; | |
| 236 } | |
| 237 | |
| 238 if (*mode) { | |
| 239 | |
| 240 if (conf->certificate.len == 0) { | |
| 241 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 242 "no \"ssl_certificate\" is defined for " | |
| 243 "the \"%s\" directive in %s:%ui", | |
| 244 mode, conf->file, conf->line); | |
| 245 return NGX_CONF_ERROR; | |
| 246 } | |
| 247 | |
| 248 if (conf->certificate_key.len == 0) { | |
| 249 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 250 "no \"ssl_certificate_key\" is defined for " | |
| 251 "the \"%s\" directive in %s:%ui", | |
| 252 mode, conf->file, conf->line); | |
| 253 return NGX_CONF_ERROR; | |
| 254 } | |
| 255 | |
| 256 } else { | |
| 257 | |
| 258 if (conf->certificate.len == 0) { | |
| 259 return NGX_CONF_OK; | |
| 260 } | |
| 261 | |
| 262 if (conf->certificate_key.len == 0) { | |
| 263 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 264 "no \"ssl_certificate_key\" is defined " | |
| 265 "for certificate \"%V\"", | |
| 266 &conf->certificate); | |
| 267 return NGX_CONF_ERROR; | |
| 268 } | |
| 269 } | |
| 270 | |
| 969 | 271 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 272 return NGX_CONF_ERROR; |
| 273 } | |
| 274 | |
| 563 | 275 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 276 if (cln == NULL) { | |
| 539 | 277 return NGX_CONF_ERROR; |
| 278 } | |
| 279 | |
| 563 | 280 cln->handler = ngx_ssl_cleanup_ctx; |
| 281 cln->data = &conf->ssl; | |
| 282 | |
| 283 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
| 284 &conf->certificate_key) | |
| 285 != NGX_OK) | |
| 547 | 286 { |
| 287 return NGX_CONF_ERROR; | |
| 288 } | |
| 539 | 289 |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
290 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
291 (const char *) conf->ciphers.data) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
292 == 0) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
293 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
294 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
295 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
296 &conf->ciphers); |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
297 return NGX_CONF_ERROR; |
| 539 | 298 } |
| 299 | |
| 563 | 300 if (conf->prefer_server_ciphers) { |
| 301 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
| 302 } | |
| 303 | |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
304 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
| 539 | 305 |
| 2044 | 306 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 307 return NGX_CONF_ERROR; | |
| 308 } | |
| 309 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
310 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
311 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
312 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
313 |
| 976 | 314 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 315 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 316 |
| 317 if (conf->shm_zone == NULL) { | |
| 318 conf->shm_zone = prev->shm_zone; | |
| 319 } | |
| 539 | 320 |
| 1136 | 321 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
| 976 | 322 conf->builtin_session_cache, |
| 323 conf->shm_zone, conf->session_timeout) | |
| 324 != NGX_OK) | |
| 325 { | |
| 326 return NGX_CONF_ERROR; | |
| 327 } | |
| 573 | 328 |
| 539 | 329 return NGX_CONF_OK; |
| 330 } | |
| 563 | 331 |
| 577 | 332 |
| 976 | 333 static char * |
| 2224 | 334 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 335 { | |
| 336 ngx_mail_ssl_conf_t *scf = conf; | |
| 337 | |
| 338 char *rv; | |
| 339 | |
| 340 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 341 | |
| 342 if (rv != NGX_CONF_OK) { | |
| 343 return rv; | |
| 344 } | |
| 345 | |
| 346 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 347 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 348 "\"starttls\" directive conflicts with \"ssl on\""); | |
| 349 return NGX_CONF_ERROR; | |
| 350 } | |
| 351 | |
| 352 scf->file = cf->conf_file->file.name.data; | |
| 353 scf->line = cf->conf_file->line; | |
| 354 | |
| 355 return NGX_CONF_OK; | |
| 356 } | |
| 357 | |
| 358 | |
| 359 static char * | |
| 360 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 361 { | |
| 362 ngx_mail_ssl_conf_t *scf = conf; | |
| 363 | |
| 364 char *rv; | |
| 365 | |
| 366 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 367 | |
| 368 if (rv != NGX_CONF_OK) { | |
| 369 return rv; | |
| 370 } | |
| 371 | |
| 372 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 373 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 374 "\"ssl\" directive conflicts with \"starttls\""); | |
| 375 return NGX_CONF_ERROR; | |
| 376 } | |
| 377 | |
| 378 scf->file = cf->conf_file->file.name.data; | |
| 379 scf->line = cf->conf_file->line; | |
| 380 | |
| 381 return NGX_CONF_OK; | |
| 382 } | |
| 383 | |
| 384 | |
| 385 static char * | |
| 1136 | 386 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 387 { |
| 1136 | 388 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 389 |
| 390 size_t len; | |
| 391 ngx_str_t *value, name, size; | |
| 392 ngx_int_t n; | |
| 393 ngx_uint_t i, j; | |
| 394 | |
| 395 value = cf->args->elts; | |
| 396 | |
| 397 for (i = 1; i < cf->args->nelts; i++) { | |
| 398 | |
| 1778 | 399 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 400 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 401 continue; | |
| 402 } | |
| 403 | |
| 2032 | 404 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 405 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 406 continue; | |
| 407 } | |
| 408 | |
| 976 | 409 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 410 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 411 continue; | |
| 412 } | |
| 413 | |
| 414 if (value[i].len > sizeof("builtin:") - 1 | |
| 415 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 416 == 0) | |
| 417 { | |
| 418 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 419 value[i].len - (sizeof("builtin:") - 1)); | |
| 420 | |
| 421 if (n == NGX_ERROR) { | |
| 422 goto invalid; | |
| 423 } | |
| 424 | |
| 425 scf->builtin_session_cache = n; | |
| 426 | |
| 427 continue; | |
| 428 } | |
| 429 | |
| 430 if (value[i].len > sizeof("shared:") - 1 | |
| 431 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 432 == 0) | |
| 433 { | |
| 434 len = 0; | |
| 435 | |
| 436 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 437 if (value[i].data[j] == ':') { | |
| 438 break; | |
| 439 } | |
| 440 | |
| 441 len++; | |
| 442 } | |
| 443 | |
| 444 if (len == 0) { | |
| 445 goto invalid; | |
| 446 } | |
| 447 | |
| 448 name.len = len; | |
| 449 name.data = value[i].data + sizeof("shared:") - 1; | |
| 450 | |
| 451 size.len = value[i].len - j - 1; | |
| 452 size.data = name.data + len + 1; | |
| 453 | |
| 454 n = ngx_parse_size(&size); | |
| 455 | |
| 456 if (n == NGX_ERROR) { | |
| 457 goto invalid; | |
| 458 } | |
| 459 | |
| 460 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 461 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 462 "session cache \"%V\" is too small", | |
| 463 &value[i]); | |
| 464 | |
| 465 return NGX_CONF_ERROR; | |
| 466 } | |
| 467 | |
| 468 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 469 &ngx_mail_ssl_module); |
| 976 | 470 if (scf->shm_zone == NULL) { |
| 471 return NGX_CONF_ERROR; | |
| 472 } | |
| 473 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
474 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
475 |
| 976 | 476 continue; |
| 477 } | |
| 478 | |
| 479 goto invalid; | |
| 480 } | |
| 481 | |
| 482 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 483 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 484 } | |
| 485 | |
| 486 return NGX_CONF_OK; | |
| 487 | |
| 488 invalid: | |
| 489 | |
| 490 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 491 "invalid session cache \"%V\"", &value[i]); | |
| 492 | |
| 493 return NGX_CONF_ERROR; | |
| 494 } |