Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_ssl_module.c @ 6876:a5d1b1383dea
Upstream: fixed cache corruption and socket leaks with aio_write.
The ngx_event_pipe() function wasn't called on write events with
wev->delayed set. As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.
Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data. If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.
Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events. In this scenario socket leaks were observed.
Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case. Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio). This also fixes
the wev->timedout case.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 20 Jan 2017 21:14:19 +0300 |
parents | 1818acd8442f |
children | 08dc60979133 |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
25 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
26 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
27 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
28 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
29 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
30 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 31 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
32 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
33 void *child); | |
34 | |
35 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
36 void *conf); | |
37 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
38 void *conf); | |
6693 | 39 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 40 |
41 | |
42 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
48 { ngx_null_string, 0 } | |
49 }; | |
50 | |
51 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
52 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
53 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
54 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
55 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
56 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
57 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
58 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
59 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
60 |
6115 | 61 static ngx_command_t ngx_stream_ssl_commands[] = { |
62 | |
63 { ngx_string("ssl_handshake_timeout"), | |
64 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
65 ngx_conf_set_msec_slot, | |
66 NGX_STREAM_SRV_CONF_OFFSET, | |
67 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
68 NULL }, | |
69 | |
70 { ngx_string("ssl_certificate"), | |
71 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
72 ngx_conf_set_str_array_slot, |
6115 | 73 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
74 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 75 NULL }, |
76 | |
77 { ngx_string("ssl_certificate_key"), | |
78 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
79 ngx_conf_set_str_array_slot, |
6115 | 80 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
81 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 82 NULL }, |
83 | |
84 { ngx_string("ssl_password_file"), | |
85 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
86 ngx_stream_ssl_password_file, | |
87 NGX_STREAM_SRV_CONF_OFFSET, | |
88 0, | |
89 NULL }, | |
90 | |
91 { ngx_string("ssl_dhparam"), | |
92 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
93 ngx_conf_set_str_slot, | |
94 NGX_STREAM_SRV_CONF_OFFSET, | |
95 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
96 NULL }, | |
97 | |
98 { ngx_string("ssl_ecdh_curve"), | |
99 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
100 ngx_conf_set_str_slot, | |
101 NGX_STREAM_SRV_CONF_OFFSET, | |
102 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
103 NULL }, | |
104 | |
105 { ngx_string("ssl_protocols"), | |
106 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
107 ngx_conf_set_bitmask_slot, | |
108 NGX_STREAM_SRV_CONF_OFFSET, | |
109 offsetof(ngx_stream_ssl_conf_t, protocols), | |
110 &ngx_stream_ssl_protocols }, | |
111 | |
112 { ngx_string("ssl_ciphers"), | |
113 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
114 ngx_conf_set_str_slot, | |
115 NGX_STREAM_SRV_CONF_OFFSET, | |
116 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
117 NULL }, | |
118 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
119 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
120 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
121 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
122 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
123 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
124 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
125 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
126 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
127 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
128 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
129 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
130 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
131 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
132 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
133 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
134 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
135 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
136 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 |
6115 | 147 { ngx_string("ssl_prefer_server_ciphers"), |
148 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
149 ngx_conf_set_flag_slot, | |
150 NGX_STREAM_SRV_CONF_OFFSET, | |
151 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
152 NULL }, | |
153 | |
154 { ngx_string("ssl_session_cache"), | |
155 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
156 ngx_stream_ssl_session_cache, | |
157 NGX_STREAM_SRV_CONF_OFFSET, | |
158 0, | |
159 NULL }, | |
160 | |
161 { ngx_string("ssl_session_tickets"), | |
162 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
163 ngx_conf_set_flag_slot, | |
164 NGX_STREAM_SRV_CONF_OFFSET, | |
165 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
166 NULL }, | |
167 | |
168 { ngx_string("ssl_session_ticket_key"), | |
169 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
170 ngx_conf_set_str_array_slot, | |
171 NGX_STREAM_SRV_CONF_OFFSET, | |
172 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
173 NULL }, | |
174 | |
175 { ngx_string("ssl_session_timeout"), | |
176 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
177 ngx_conf_set_sec_slot, | |
178 NGX_STREAM_SRV_CONF_OFFSET, | |
179 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
180 NULL }, | |
181 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
182 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
183 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
184 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
185 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
186 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
187 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
188 |
6115 | 189 ngx_null_command |
190 }; | |
191 | |
192 | |
193 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
194 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 195 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
196 |
6115 | 197 NULL, /* create main configuration */ |
198 NULL, /* init main configuration */ | |
199 | |
200 ngx_stream_ssl_create_conf, /* create server configuration */ | |
201 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
202 }; | |
203 | |
204 | |
205 ngx_module_t ngx_stream_ssl_module = { | |
206 NGX_MODULE_V1, | |
207 &ngx_stream_ssl_module_ctx, /* module context */ | |
208 ngx_stream_ssl_commands, /* module directives */ | |
209 NGX_STREAM_MODULE, /* module type */ | |
210 NULL, /* init master */ | |
211 NULL, /* init module */ | |
212 NULL, /* init process */ | |
213 NULL, /* init thread */ | |
214 NULL, /* exit thread */ | |
215 NULL, /* exit process */ | |
216 NULL, /* exit master */ | |
217 NGX_MODULE_V1_PADDING | |
218 }; | |
219 | |
220 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
221 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
222 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
223 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
224 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
225 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
226 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
227 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
228 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
229 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
230 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
231 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
232 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
233 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
234 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
235 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
236 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
237 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
238 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
239 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
240 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
241 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
242 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
243 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
244 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
245 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
246 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
247 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
248 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
249 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
250 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
251 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
252 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
253 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
254 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
255 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
256 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
257 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
258 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
259 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
260 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
261 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
262 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
263 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
264 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
265 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
266 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
267 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
268 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
275 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
276 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
277 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
278 |
6115 | 279 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
280 | |
281 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
282 static ngx_int_t |
6693 | 283 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
284 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
285 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
286 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
287 ngx_int_t rv; |
6693 | 288 ngx_connection_t *c; |
289 ngx_stream_ssl_conf_t *sslcf; | |
290 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
291 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
292 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
293 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
294 |
6693 | 295 c = s->connection; |
296 | |
297 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
298 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
299 if (c->ssl == NULL) { |
6693 | 300 c->log->action = "SSL handshaking"; |
301 | |
302 if (sslcf->ssl.ctx == NULL) { | |
303 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
304 "no \"ssl_certificate\" is defined " | |
305 "in server listening on SSL port"); | |
306 return NGX_ERROR; | |
307 } | |
308 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
309 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
310 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
311 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
312 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
313 } |
6693 | 314 } |
315 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
316 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
317 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
318 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
319 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
320 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
322 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
324 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
325 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
326 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
327 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
328 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
329 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
330 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
331 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
333 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
334 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
336 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
337 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 ngx_ssl_remove_cached_session(sslcf->ssl.ctx, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
345 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
346 |
6693 | 347 return NGX_OK; |
348 } | |
349 | |
350 | |
351 static ngx_int_t | |
352 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
353 { | |
354 ngx_int_t rc; | |
355 ngx_stream_session_t *s; | |
356 ngx_stream_ssl_conf_t *sslcf; | |
357 | |
358 s = c->data; | |
359 | |
360 if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) { | |
361 return NGX_ERROR; | |
362 } | |
363 | |
364 rc = ngx_ssl_handshake(c); | |
365 | |
366 if (rc == NGX_ERROR) { | |
367 return NGX_ERROR; | |
368 } | |
369 | |
370 if (rc == NGX_AGAIN) { | |
371 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
372 | |
373 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
374 | |
375 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
376 | |
377 return NGX_AGAIN; | |
378 } | |
379 | |
380 /* rc == NGX_OK */ | |
381 | |
382 return NGX_OK; | |
383 } | |
384 | |
385 | |
386 static void | |
387 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
388 { | |
389 ngx_stream_session_t *s; | |
390 | |
391 s = c->data; | |
392 | |
393 if (!c->ssl->handshaked) { | |
394 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
395 return; | |
396 } | |
397 | |
398 if (c->read->timer_set) { | |
399 ngx_del_timer(c->read); | |
400 } | |
401 | |
402 ngx_stream_core_run_phases(s); | |
403 } | |
404 | |
405 | |
406 static ngx_int_t | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
407 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
408 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
409 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
410 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
411 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
412 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
413 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
414 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
415 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
416 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
417 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
418 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
419 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
420 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
421 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
422 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
423 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
424 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
425 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
426 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
427 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
428 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
429 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
430 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
431 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
432 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
433 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
434 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
435 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
436 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
437 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
438 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
439 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
440 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
441 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
442 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
443 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
444 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
445 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
446 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
447 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
448 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
449 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
450 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
451 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
452 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
453 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
454 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
455 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
456 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
457 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
458 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
459 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
460 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
461 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
462 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
463 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
464 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
465 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
466 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
467 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
468 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
469 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
470 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
471 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
472 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
473 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
474 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
475 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
476 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
477 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
478 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
479 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
480 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
481 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
482 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
483 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
484 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
485 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
486 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
487 |
6115 | 488 static void * |
489 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
490 { | |
491 ngx_stream_ssl_conf_t *scf; | |
492 | |
493 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
494 if (scf == NULL) { | |
495 return NULL; | |
496 } | |
497 | |
498 /* | |
499 * set by ngx_pcalloc(): | |
500 * | |
501 * scf->protocols = 0; | |
502 * scf->dhparam = { 0, NULL }; | |
503 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
504 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
505 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
506 * scf->crl = { 0, NULL }; |
6115 | 507 * scf->ciphers = { 0, NULL }; |
508 * scf->shm_zone = NULL; | |
509 */ | |
510 | |
511 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
512 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
513 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 514 scf->passwords = NGX_CONF_UNSET_PTR; |
515 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
516 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
517 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 518 scf->builtin_session_cache = NGX_CONF_UNSET; |
519 scf->session_timeout = NGX_CONF_UNSET; | |
520 scf->session_tickets = NGX_CONF_UNSET; | |
521 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
522 | |
523 return scf; | |
524 } | |
525 | |
526 | |
527 static char * | |
528 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
529 { | |
530 ngx_stream_ssl_conf_t *prev = parent; | |
531 ngx_stream_ssl_conf_t *conf = child; | |
532 | |
533 ngx_pool_cleanup_t *cln; | |
534 | |
535 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
536 prev->handshake_timeout, 60000); | |
537 | |
538 ngx_conf_merge_value(conf->session_timeout, | |
539 prev->session_timeout, 300); | |
540 | |
541 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
542 prev->prefer_server_ciphers, 0); | |
543 | |
544 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
545 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 546 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
548 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
549 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
550 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
551 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
552 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
553 NULL); |
6115 | 554 |
555 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
556 | |
557 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
558 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
559 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
560 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
561 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
562 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
563 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
564 |
6115 | 565 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
566 NGX_DEFAULT_ECDH_CURVE); | |
567 | |
568 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
569 | |
570 | |
571 conf->ssl.log = cf->log; | |
572 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
573 if (conf->certificates == NULL) { |
6115 | 574 return NGX_CONF_OK; |
575 } | |
576 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
577 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
578 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
579 { |
6115 | 580 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
581 "no \"ssl_certificate_key\" is defined " | |
582 "for certificate \"%V\"", | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
583 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
584 + conf->certificates->nelts - 1); |
6115 | 585 return NGX_CONF_ERROR; |
586 } | |
587 | |
588 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
589 return NGX_CONF_ERROR; | |
590 } | |
591 | |
592 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
593 if (cln == NULL) { | |
594 return NGX_CONF_ERROR; | |
595 } | |
596 | |
597 cln->handler = ngx_ssl_cleanup_ctx; | |
598 cln->data = &conf->ssl; | |
599 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
600 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
601 conf->certificate_keys, conf->passwords) |
6115 | 602 != NGX_OK) |
603 { | |
604 return NGX_CONF_ERROR; | |
605 } | |
606 | |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
607 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
608 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
609 != NGX_OK) |
6115 | 610 { |
611 return NGX_CONF_ERROR; | |
612 } | |
613 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
614 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
615 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
616 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
617 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
618 "no ssl_client_certificate for ssl_client_verify"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
619 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
620 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
621 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
622 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
623 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
624 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
625 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
626 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
627 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
628 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
629 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
630 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
631 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
632 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
633 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
634 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
635 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
636 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
637 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
638 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
639 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
640 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
641 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
642 |
6115 | 643 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
644 return NGX_CONF_ERROR; | |
645 } | |
646 | |
647 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
648 return NGX_CONF_ERROR; | |
649 } | |
650 | |
651 ngx_conf_merge_value(conf->builtin_session_cache, | |
652 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
653 | |
654 if (conf->shm_zone == NULL) { | |
655 conf->shm_zone = prev->shm_zone; | |
656 } | |
657 | |
658 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
659 conf->builtin_session_cache, | |
660 conf->shm_zone, conf->session_timeout) | |
661 != NGX_OK) | |
662 { | |
663 return NGX_CONF_ERROR; | |
664 } | |
665 | |
666 ngx_conf_merge_value(conf->session_tickets, | |
667 prev->session_tickets, 1); | |
668 | |
669 #ifdef SSL_OP_NO_TICKET | |
670 if (!conf->session_tickets) { | |
671 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
672 } | |
673 #endif | |
674 | |
675 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
676 prev->session_ticket_keys, NULL); | |
677 | |
678 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
679 != NGX_OK) | |
680 { | |
681 return NGX_CONF_ERROR; | |
682 } | |
683 | |
684 return NGX_CONF_OK; | |
685 } | |
686 | |
687 | |
688 static char * | |
689 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
690 { | |
691 ngx_stream_ssl_conf_t *scf = conf; | |
692 | |
693 ngx_str_t *value; | |
694 | |
695 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
696 return "is duplicate"; | |
697 } | |
698 | |
699 value = cf->args->elts; | |
700 | |
701 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
702 | |
703 if (scf->passwords == NULL) { | |
704 return NGX_CONF_ERROR; | |
705 } | |
706 | |
707 return NGX_CONF_OK; | |
708 } | |
709 | |
710 | |
711 static char * | |
712 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
713 { | |
714 ngx_stream_ssl_conf_t *scf = conf; | |
715 | |
716 size_t len; | |
717 ngx_str_t *value, name, size; | |
718 ngx_int_t n; | |
719 ngx_uint_t i, j; | |
720 | |
721 value = cf->args->elts; | |
722 | |
723 for (i = 1; i < cf->args->nelts; i++) { | |
724 | |
725 if (ngx_strcmp(value[i].data, "off") == 0) { | |
726 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
727 continue; | |
728 } | |
729 | |
730 if (ngx_strcmp(value[i].data, "none") == 0) { | |
731 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
732 continue; | |
733 } | |
734 | |
735 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
736 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
737 continue; | |
738 } | |
739 | |
740 if (value[i].len > sizeof("builtin:") - 1 | |
741 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
742 == 0) | |
743 { | |
744 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
745 value[i].len - (sizeof("builtin:") - 1)); | |
746 | |
747 if (n == NGX_ERROR) { | |
748 goto invalid; | |
749 } | |
750 | |
751 scf->builtin_session_cache = n; | |
752 | |
753 continue; | |
754 } | |
755 | |
756 if (value[i].len > sizeof("shared:") - 1 | |
757 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
758 == 0) | |
759 { | |
760 len = 0; | |
761 | |
762 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
763 if (value[i].data[j] == ':') { | |
764 break; | |
765 } | |
766 | |
767 len++; | |
768 } | |
769 | |
770 if (len == 0) { | |
771 goto invalid; | |
772 } | |
773 | |
774 name.len = len; | |
775 name.data = value[i].data + sizeof("shared:") - 1; | |
776 | |
777 size.len = value[i].len - j - 1; | |
778 size.data = name.data + len + 1; | |
779 | |
780 n = ngx_parse_size(&size); | |
781 | |
782 if (n == NGX_ERROR) { | |
783 goto invalid; | |
784 } | |
785 | |
786 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
787 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
788 "session cache \"%V\" is too small", | |
789 &value[i]); | |
790 | |
791 return NGX_CONF_ERROR; | |
792 } | |
793 | |
794 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
795 &ngx_stream_ssl_module); | |
796 if (scf->shm_zone == NULL) { | |
797 return NGX_CONF_ERROR; | |
798 } | |
799 | |
800 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
801 | |
802 continue; | |
803 } | |
804 | |
805 goto invalid; | |
806 } | |
807 | |
808 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
809 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
810 } | |
811 | |
812 return NGX_CONF_OK; | |
813 | |
814 invalid: | |
815 | |
816 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
817 "invalid session cache \"%V\"", &value[i]); | |
818 | |
819 return NGX_CONF_ERROR; | |
820 } | |
6693 | 821 |
822 | |
823 static ngx_int_t | |
824 ngx_stream_ssl_init(ngx_conf_t *cf) | |
825 { | |
826 ngx_stream_handler_pt *h; | |
827 ngx_stream_core_main_conf_t *cmcf; | |
828 | |
829 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
830 | |
831 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
832 if (h == NULL) { | |
833 return NGX_ERROR; | |
834 } | |
835 | |
836 *h = ngx_stream_ssl_handler; | |
837 | |
838 return NGX_OK; | |
839 } |