Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_ssl_module.c @ 7162:8b84d60ef13d
Fixed "changing binary" when reaper is not init.
On some systems, it's possible that reaper of orphaned processes is
set to something other than "init" process. On such systems, the
changing binary procedure did not work.
The fix is to check if PPID has changed, instead of assuming it's
always 1 for orphaned processes.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Tue, 28 Nov 2017 12:00:24 +0300 |
| parents | 82f0b8dcca27 |
| children | 9d14931cec8c |
| rev | line source |
|---|---|
| 6115 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4 * Copyright (C) Nginx, Inc. | |
| 5 */ | |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 10 #include <ngx_stream.h> | |
| 11 | |
| 12 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
| 6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
| 6115 | 19 |
| 20 | |
| 6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
| 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
| 23 ngx_connection_t *c); | |
| 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
25 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
26 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
27 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
28 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
29 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
30 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
| 6115 | 31 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
| 32 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
| 33 void *child); | |
| 34 | |
| 35 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 36 void *conf); | |
| 37 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 38 void *conf); | |
| 6693 | 39 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
| 6115 | 40 |
| 41 | |
| 42 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
| 43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
| 44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
| 46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
| 47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
|
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
48 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
| 6115 | 49 { ngx_null_string, 0 } |
| 50 }; | |
| 51 | |
| 52 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
53 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
54 { ngx_string("off"), 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
55 { ngx_string("on"), 1 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
56 { ngx_string("optional"), 2 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
57 { ngx_string("optional_no_ca"), 3 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
58 { ngx_null_string, 0 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
59 }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
60 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
61 |
| 6115 | 62 static ngx_command_t ngx_stream_ssl_commands[] = { |
| 63 | |
| 64 { ngx_string("ssl_handshake_timeout"), | |
| 65 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 66 ngx_conf_set_msec_slot, | |
| 67 NGX_STREAM_SRV_CONF_OFFSET, | |
| 68 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
| 69 NULL }, | |
| 70 | |
| 71 { ngx_string("ssl_certificate"), | |
| 72 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
73 ngx_conf_set_str_array_slot, |
| 6115 | 74 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
75 offsetof(ngx_stream_ssl_conf_t, certificates), |
| 6115 | 76 NULL }, |
| 77 | |
| 78 { ngx_string("ssl_certificate_key"), | |
| 79 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
80 ngx_conf_set_str_array_slot, |
| 6115 | 81 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
82 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
| 6115 | 83 NULL }, |
| 84 | |
| 85 { ngx_string("ssl_password_file"), | |
| 86 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 87 ngx_stream_ssl_password_file, | |
| 88 NGX_STREAM_SRV_CONF_OFFSET, | |
| 89 0, | |
| 90 NULL }, | |
| 91 | |
| 92 { ngx_string("ssl_dhparam"), | |
| 93 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 94 ngx_conf_set_str_slot, | |
| 95 NGX_STREAM_SRV_CONF_OFFSET, | |
| 96 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
| 97 NULL }, | |
| 98 | |
| 99 { ngx_string("ssl_ecdh_curve"), | |
| 100 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 101 ngx_conf_set_str_slot, | |
| 102 NGX_STREAM_SRV_CONF_OFFSET, | |
| 103 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
| 104 NULL }, | |
| 105 | |
| 106 { ngx_string("ssl_protocols"), | |
| 107 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
| 108 ngx_conf_set_bitmask_slot, | |
| 109 NGX_STREAM_SRV_CONF_OFFSET, | |
| 110 offsetof(ngx_stream_ssl_conf_t, protocols), | |
| 111 &ngx_stream_ssl_protocols }, | |
| 112 | |
| 113 { ngx_string("ssl_ciphers"), | |
| 114 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 115 ngx_conf_set_str_slot, | |
| 116 NGX_STREAM_SRV_CONF_OFFSET, | |
| 117 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
| 118 NULL }, | |
| 119 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
120 { ngx_string("ssl_verify_client"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
121 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
122 ngx_conf_set_enum_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
123 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
124 offsetof(ngx_stream_ssl_conf_t, verify), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
125 &ngx_stream_ssl_verify }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
126 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
127 { ngx_string("ssl_verify_depth"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
128 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
129 ngx_conf_set_num_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
130 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
131 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
132 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
133 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
134 { ngx_string("ssl_client_certificate"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
135 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
136 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 { ngx_string("ssl_trusted_certificate"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 |
| 6115 | 148 { ngx_string("ssl_prefer_server_ciphers"), |
| 149 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 150 ngx_conf_set_flag_slot, | |
| 151 NGX_STREAM_SRV_CONF_OFFSET, | |
| 152 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
| 153 NULL }, | |
| 154 | |
| 155 { ngx_string("ssl_session_cache"), | |
| 156 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
| 157 ngx_stream_ssl_session_cache, | |
| 158 NGX_STREAM_SRV_CONF_OFFSET, | |
| 159 0, | |
| 160 NULL }, | |
| 161 | |
| 162 { ngx_string("ssl_session_tickets"), | |
| 163 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 164 ngx_conf_set_flag_slot, | |
| 165 NGX_STREAM_SRV_CONF_OFFSET, | |
| 166 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
| 167 NULL }, | |
| 168 | |
| 169 { ngx_string("ssl_session_ticket_key"), | |
| 170 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 171 ngx_conf_set_str_array_slot, | |
| 172 NGX_STREAM_SRV_CONF_OFFSET, | |
| 173 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
| 174 NULL }, | |
| 175 | |
| 176 { ngx_string("ssl_session_timeout"), | |
| 177 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 178 ngx_conf_set_sec_slot, | |
| 179 NGX_STREAM_SRV_CONF_OFFSET, | |
| 180 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
| 181 NULL }, | |
| 182 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
183 { ngx_string("ssl_crl"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
184 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
185 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
186 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
187 offsetof(ngx_stream_ssl_conf_t, crl), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
188 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
189 |
| 6115 | 190 ngx_null_command |
| 191 }; | |
| 192 | |
| 193 | |
| 194 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
195 ngx_stream_ssl_add_variables, /* preconfiguration */ |
| 6693 | 196 ngx_stream_ssl_init, /* postconfiguration */ |
|
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
197 |
| 6115 | 198 NULL, /* create main configuration */ |
| 199 NULL, /* init main configuration */ | |
| 200 | |
| 201 ngx_stream_ssl_create_conf, /* create server configuration */ | |
| 202 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
| 203 }; | |
| 204 | |
| 205 | |
| 206 ngx_module_t ngx_stream_ssl_module = { | |
| 207 NGX_MODULE_V1, | |
| 208 &ngx_stream_ssl_module_ctx, /* module context */ | |
| 209 ngx_stream_ssl_commands, /* module directives */ | |
| 210 NGX_STREAM_MODULE, /* module type */ | |
| 211 NULL, /* init master */ | |
| 212 NULL, /* init module */ | |
| 213 NULL, /* init process */ | |
| 214 NULL, /* init thread */ | |
| 215 NULL, /* exit thread */ | |
| 216 NULL, /* exit process */ | |
| 217 NULL, /* exit master */ | |
| 218 NGX_MODULE_V1_PADDING | |
| 219 }; | |
| 220 | |
| 221 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
222 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
223 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
224 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
225 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
226 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
227 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
228 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
229 |
|
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
230 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
231 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
232 |
|
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
233 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
234 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
235 |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
236 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
237 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
238 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
239 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
240 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
241 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
242 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
243 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
244 |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
245 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
246 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
247 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
248 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
249 (uintptr_t) ngx_ssl_get_raw_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
250 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
251 |
|
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
252 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
253 (uintptr_t) ngx_ssl_get_escaped_certificate, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
254 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
255 |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
256 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
257 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
258 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
259 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
260 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
261 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
262 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
263 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
264 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
265 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
266 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
267 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
268 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
275 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
276 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
277 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
278 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
279 |
|
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
280 ngx_stream_null_variable |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
281 }; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
282 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
283 |
| 6115 | 284 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
| 285 | |
| 286 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
287 static ngx_int_t |
| 6693 | 288 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
| 289 { | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
290 long rc; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
291 X509 *cert; |
|
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
292 ngx_int_t rv; |
| 6693 | 293 ngx_connection_t *c; |
| 294 ngx_stream_ssl_conf_t *sslcf; | |
| 295 | |
|
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
296 if (!s->ssl) { |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
297 return NGX_OK; |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
298 } |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
299 |
| 6693 | 300 c = s->connection; |
| 301 | |
| 302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 303 | |
|
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
304 if (c->ssl == NULL) { |
| 6693 | 305 c->log->action = "SSL handshaking"; |
| 306 | |
| 307 if (sslcf->ssl.ctx == NULL) { | |
| 308 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
| 309 "no \"ssl_certificate\" is defined " | |
| 310 "in server listening on SSL port"); | |
| 311 return NGX_ERROR; | |
| 312 } | |
| 313 | |
|
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
314 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
315 |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
316 if (rv != NGX_OK) { |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
317 return rv; |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
318 } |
| 6693 | 319 } |
| 320 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 if (sslcf->verify) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
322 rc = SSL_get_verify_result(c->ssl->connection); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
324 if (rc != X509_V_OK |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
325 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
326 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
327 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
328 "client SSL certificate verify error: (%l:%s)", |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
329 rc, X509_verify_cert_error_string(rc)); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
330 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
331 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 (SSL_get0_session(c->ssl->connection))); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
333 return NGX_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
334 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
336 if (sslcf->verify == 1) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
337 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 if (cert == NULL) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 "client sent no required SSL certificate"); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 (SSL_get0_session(c->ssl->connection))); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
345 return NGX_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
346 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
347 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
348 X509_free(cert); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
349 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
350 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
351 |
| 6693 | 352 return NGX_OK; |
| 353 } | |
| 354 | |
| 355 | |
| 356 static ngx_int_t | |
| 357 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
| 358 { | |
|
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
359 ngx_int_t rc; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
360 ngx_stream_session_t *s; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
361 ngx_stream_ssl_conf_t *sslcf; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
362 ngx_stream_core_srv_conf_t *cscf; |
| 6693 | 363 |
| 364 s = c->data; | |
| 365 | |
|
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
366 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
367 |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
368 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
369 return NGX_ERROR; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
370 } |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
371 |
|
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
372 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
| 6693 | 373 return NGX_ERROR; |
| 374 } | |
| 375 | |
| 376 rc = ngx_ssl_handshake(c); | |
| 377 | |
| 378 if (rc == NGX_ERROR) { | |
| 379 return NGX_ERROR; | |
| 380 } | |
| 381 | |
| 382 if (rc == NGX_AGAIN) { | |
| 383 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 384 | |
| 385 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
| 386 | |
| 387 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
| 388 | |
| 389 return NGX_AGAIN; | |
| 390 } | |
| 391 | |
| 392 /* rc == NGX_OK */ | |
| 393 | |
| 394 return NGX_OK; | |
| 395 } | |
| 396 | |
| 397 | |
| 398 static void | |
| 399 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
| 400 { | |
| 401 ngx_stream_session_t *s; | |
| 402 | |
| 403 s = c->data; | |
| 404 | |
| 405 if (!c->ssl->handshaked) { | |
| 406 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
| 407 return; | |
| 408 } | |
| 409 | |
| 410 if (c->read->timer_set) { | |
| 411 ngx_del_timer(c->read); | |
| 412 } | |
| 413 | |
| 414 ngx_stream_core_run_phases(s); | |
| 415 } | |
| 416 | |
| 417 | |
| 418 static ngx_int_t | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
419 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
420 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
421 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
422 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
423 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
424 size_t len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
425 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
426 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
427 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
428 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
429 (void) handler(s->connection, NULL, &str); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
430 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
431 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
432 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
433 for (len = 0; v->data[len]; len++) { /* void */ } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
434 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
435 v->len = len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
436 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
437 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
438 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
439 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
440 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
441 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
442 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
443 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
444 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
445 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
446 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
447 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
448 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
449 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
450 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
451 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
452 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
453 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
454 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
455 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
456 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
457 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
458 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
459 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
460 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
461 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
462 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
463 v->len = str.len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
464 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
465 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
466 if (v->len) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
467 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
468 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
469 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
470 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
471 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
472 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
473 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
474 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
475 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
476 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
477 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
478 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
479 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
480 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
481 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
482 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
483 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
484 ngx_stream_variable_t *var, *v; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
485 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
486 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
487 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
488 if (var == NULL) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
489 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
490 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
491 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
492 var->get_handler = v->get_handler; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
493 var->data = v->data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
494 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
495 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
496 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
497 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
498 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
499 |
| 6115 | 500 static void * |
| 501 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
| 502 { | |
| 503 ngx_stream_ssl_conf_t *scf; | |
| 504 | |
| 505 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
| 506 if (scf == NULL) { | |
| 507 return NULL; | |
| 508 } | |
| 509 | |
| 510 /* | |
| 511 * set by ngx_pcalloc(): | |
| 512 * | |
| 513 * scf->protocols = 0; | |
| 514 * scf->dhparam = { 0, NULL }; | |
| 515 * scf->ecdh_curve = { 0, NULL }; | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
516 * scf->client_certificate = { 0, NULL }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
517 * scf->trusted_certificate = { 0, NULL }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
518 * scf->crl = { 0, NULL }; |
| 6115 | 519 * scf->ciphers = { 0, NULL }; |
| 520 * scf->shm_zone = NULL; | |
| 521 */ | |
| 522 | |
| 523 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
524 scf->certificates = NGX_CONF_UNSET_PTR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
525 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
| 6115 | 526 scf->passwords = NGX_CONF_UNSET_PTR; |
| 527 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
528 scf->verify = NGX_CONF_UNSET_UINT; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
529 scf->verify_depth = NGX_CONF_UNSET_UINT; |
| 6115 | 530 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 531 scf->session_timeout = NGX_CONF_UNSET; | |
| 532 scf->session_tickets = NGX_CONF_UNSET; | |
| 533 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
| 534 | |
| 535 return scf; | |
| 536 } | |
| 537 | |
| 538 | |
| 539 static char * | |
| 540 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
| 541 { | |
| 542 ngx_stream_ssl_conf_t *prev = parent; | |
| 543 ngx_stream_ssl_conf_t *conf = child; | |
| 544 | |
| 545 ngx_pool_cleanup_t *cln; | |
| 546 | |
| 547 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
| 548 prev->handshake_timeout, 60000); | |
| 549 | |
| 550 ngx_conf_merge_value(conf->session_timeout, | |
| 551 prev->session_timeout, 300); | |
| 552 | |
| 553 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
| 554 prev->prefer_server_ciphers, 0); | |
| 555 | |
| 556 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
557 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
| 6115 | 558 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 559 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
560 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
561 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
562 |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
563 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
564 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
565 NULL); |
| 6115 | 566 |
| 567 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
| 568 | |
| 569 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
| 570 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
571 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
572 ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
573 ngx_conf_merge_str_value(conf->trusted_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
574 prev->trusted_certificate, ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
575 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
576 |
| 6115 | 577 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 578 NGX_DEFAULT_ECDH_CURVE); | |
| 579 | |
| 580 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
| 581 | |
| 582 | |
| 583 conf->ssl.log = cf->log; | |
| 584 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
585 if (conf->certificates == NULL) { |
| 6115 | 586 return NGX_CONF_OK; |
| 587 } | |
| 588 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
589 if (conf->certificate_keys == NULL |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
590 || conf->certificate_keys->nelts < conf->certificates->nelts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
591 { |
| 6115 | 592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 593 "no \"ssl_certificate_key\" is defined " | |
| 594 "for certificate \"%V\"", | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
595 ((ngx_str_t *) conf->certificates->elts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
596 + conf->certificates->nelts - 1); |
| 6115 | 597 return NGX_CONF_ERROR; |
| 598 } | |
| 599 | |
| 600 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
| 601 return NGX_CONF_ERROR; | |
| 602 } | |
| 603 | |
| 604 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
| 605 if (cln == NULL) { | |
| 606 return NGX_CONF_ERROR; | |
| 607 } | |
| 608 | |
| 609 cln->handler = ngx_ssl_cleanup_ctx; | |
| 610 cln->data = &conf->ssl; | |
| 611 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
612 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
613 conf->certificate_keys, conf->passwords) |
| 6115 | 614 != NGX_OK) |
| 615 { | |
| 616 return NGX_CONF_ERROR; | |
| 617 } | |
| 618 | |
|
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
619 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
620 conf->prefer_server_ciphers) |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
621 != NGX_OK) |
| 6115 | 622 { |
| 623 return NGX_CONF_ERROR; | |
| 624 } | |
| 625 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
626 if (conf->verify) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
627 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
628 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
629 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
630 "no ssl_client_certificate for ssl_client_verify"); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
631 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
632 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
633 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
634 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
635 &conf->client_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
636 conf->verify_depth) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
637 != NGX_OK) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
638 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
639 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
640 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
641 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
642 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
643 &conf->trusted_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
644 conf->verify_depth) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
645 != NGX_OK) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
646 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
647 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
648 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
649 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
650 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
651 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
652 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
653 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
654 |
| 6115 | 655 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 656 return NGX_CONF_ERROR; | |
| 657 } | |
| 658 | |
| 659 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
| 660 return NGX_CONF_ERROR; | |
| 661 } | |
| 662 | |
| 663 ngx_conf_merge_value(conf->builtin_session_cache, | |
| 664 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
| 665 | |
| 666 if (conf->shm_zone == NULL) { | |
| 667 conf->shm_zone = prev->shm_zone; | |
| 668 } | |
| 669 | |
| 670 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
| 671 conf->builtin_session_cache, | |
| 672 conf->shm_zone, conf->session_timeout) | |
| 673 != NGX_OK) | |
| 674 { | |
| 675 return NGX_CONF_ERROR; | |
| 676 } | |
| 677 | |
| 678 ngx_conf_merge_value(conf->session_tickets, | |
| 679 prev->session_tickets, 1); | |
| 680 | |
| 681 #ifdef SSL_OP_NO_TICKET | |
| 682 if (!conf->session_tickets) { | |
| 683 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
| 684 } | |
| 685 #endif | |
| 686 | |
| 687 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
| 688 prev->session_ticket_keys, NULL); | |
| 689 | |
| 690 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
| 691 != NGX_OK) | |
| 692 { | |
| 693 return NGX_CONF_ERROR; | |
| 694 } | |
| 695 | |
| 696 return NGX_CONF_OK; | |
| 697 } | |
| 698 | |
| 699 | |
| 700 static char * | |
| 701 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 702 { | |
| 703 ngx_stream_ssl_conf_t *scf = conf; | |
| 704 | |
| 705 ngx_str_t *value; | |
| 706 | |
| 707 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
| 708 return "is duplicate"; | |
| 709 } | |
| 710 | |
| 711 value = cf->args->elts; | |
| 712 | |
| 713 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
| 714 | |
| 715 if (scf->passwords == NULL) { | |
| 716 return NGX_CONF_ERROR; | |
| 717 } | |
| 718 | |
| 719 return NGX_CONF_OK; | |
| 720 } | |
| 721 | |
| 722 | |
| 723 static char * | |
| 724 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 725 { | |
| 726 ngx_stream_ssl_conf_t *scf = conf; | |
| 727 | |
| 728 size_t len; | |
| 729 ngx_str_t *value, name, size; | |
| 730 ngx_int_t n; | |
| 731 ngx_uint_t i, j; | |
| 732 | |
| 733 value = cf->args->elts; | |
| 734 | |
| 735 for (i = 1; i < cf->args->nelts; i++) { | |
| 736 | |
| 737 if (ngx_strcmp(value[i].data, "off") == 0) { | |
| 738 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 739 continue; | |
| 740 } | |
| 741 | |
| 742 if (ngx_strcmp(value[i].data, "none") == 0) { | |
| 743 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 744 continue; | |
| 745 } | |
| 746 | |
| 747 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
| 748 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 749 continue; | |
| 750 } | |
| 751 | |
| 752 if (value[i].len > sizeof("builtin:") - 1 | |
| 753 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 754 == 0) | |
| 755 { | |
| 756 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 757 value[i].len - (sizeof("builtin:") - 1)); | |
| 758 | |
| 759 if (n == NGX_ERROR) { | |
| 760 goto invalid; | |
| 761 } | |
| 762 | |
| 763 scf->builtin_session_cache = n; | |
| 764 | |
| 765 continue; | |
| 766 } | |
| 767 | |
| 768 if (value[i].len > sizeof("shared:") - 1 | |
| 769 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 770 == 0) | |
| 771 { | |
| 772 len = 0; | |
| 773 | |
| 774 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 775 if (value[i].data[j] == ':') { | |
| 776 break; | |
| 777 } | |
| 778 | |
| 779 len++; | |
| 780 } | |
| 781 | |
| 782 if (len == 0) { | |
| 783 goto invalid; | |
| 784 } | |
| 785 | |
| 786 name.len = len; | |
| 787 name.data = value[i].data + sizeof("shared:") - 1; | |
| 788 | |
| 789 size.len = value[i].len - j - 1; | |
| 790 size.data = name.data + len + 1; | |
| 791 | |
| 792 n = ngx_parse_size(&size); | |
| 793 | |
| 794 if (n == NGX_ERROR) { | |
| 795 goto invalid; | |
| 796 } | |
| 797 | |
| 798 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 799 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 800 "session cache \"%V\" is too small", | |
| 801 &value[i]); | |
| 802 | |
| 803 return NGX_CONF_ERROR; | |
| 804 } | |
| 805 | |
| 806 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 807 &ngx_stream_ssl_module); | |
| 808 if (scf->shm_zone == NULL) { | |
| 809 return NGX_CONF_ERROR; | |
| 810 } | |
| 811 | |
| 812 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
| 813 | |
| 814 continue; | |
| 815 } | |
| 816 | |
| 817 goto invalid; | |
| 818 } | |
| 819 | |
| 820 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 821 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 822 } | |
| 823 | |
| 824 return NGX_CONF_OK; | |
| 825 | |
| 826 invalid: | |
| 827 | |
| 828 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 829 "invalid session cache \"%V\"", &value[i]); | |
| 830 | |
| 831 return NGX_CONF_ERROR; | |
| 832 } | |
| 6693 | 833 |
| 834 | |
| 835 static ngx_int_t | |
| 836 ngx_stream_ssl_init(ngx_conf_t *cf) | |
| 837 { | |
| 838 ngx_stream_handler_pt *h; | |
| 839 ngx_stream_core_main_conf_t *cmcf; | |
| 840 | |
| 841 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
| 842 | |
| 843 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
| 844 if (h == NULL) { | |
| 845 return NGX_ERROR; | |
| 846 } | |
| 847 | |
| 848 *h = ngx_stream_ssl_handler; | |
| 849 | |
| 850 return NGX_OK; | |
| 851 } |