Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 7476:b6dc8a12c07a
SSL: removed redundant "pkey" variable.
It was accidentally introduced in 77436d9951a1 (1.15.9). In MSVC 2015
and more recent MSVC versions it triggers warning C4456 (declaration of
'pkey' hides previous local declaration). Previously, all such warnings
were resolved in 2a621245f4cf.
Reported by Steve Stevenson.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 09 Mar 2019 02:55:43 +0300 |
parents | 8981dbb12254 |
children | ef7ee19776db |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
539 | 15 |
16 | |
1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 19 |
20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
21 void *conf); | |
22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
23 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 27 void *conf); |
539 | 28 |
29 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 34 { ngx_null_string, 0 } |
35 }; | |
36 | |
37 | |
38 | |
1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6699
diff
changeset
|
45 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 46 { ngx_null_string, 0 } |
47 }; | |
48 | |
49 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
50 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
51 { ngx_string("off"), 0 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
52 { ngx_string("on"), 1 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 { ngx_string("optional"), 2 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_string("optional_no_ca"), 3 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 { ngx_null_string, 0 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
58 |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
59 static ngx_conf_deprecated_t ngx_mail_ssl_deprecated = { |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
60 ngx_conf_deprecated, "ssl", "listen ... ssl" |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
61 }; |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
62 |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
63 |
1136 | 64 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 65 |
66 { ngx_string("ssl"), | |
1136 | 67 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
2224 | 68 ngx_mail_ssl_enable, |
1136 | 69 NGX_MAIL_SRV_CONF_OFFSET, |
70 offsetof(ngx_mail_ssl_conf_t, enable), | |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
71 &ngx_mail_ssl_deprecated }, |
539 | 72 |
583 | 73 { ngx_string("starttls"), |
1136 | 74 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 75 ngx_mail_ssl_starttls, |
1136 | 76 NGX_MAIL_SRV_CONF_OFFSET, |
77 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
78 ngx_mail_starttls_state }, |
583 | 79 |
539 | 80 { ngx_string("ssl_certificate"), |
1136 | 81 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
82 ngx_conf_set_str_array_slot, |
1136 | 83 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
84 offsetof(ngx_mail_ssl_conf_t, certificates), |
539 | 85 NULL }, |
86 | |
87 { ngx_string("ssl_certificate_key"), | |
1136 | 88 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
89 ngx_conf_set_str_array_slot, |
1136 | 90 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
91 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
539 | 92 NULL }, |
93 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
95 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
96 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
97 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
98 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
99 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
100 |
2044 | 101 { ngx_string("ssl_dhparam"), |
102 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
103 ngx_conf_set_str_slot, | |
104 NGX_MAIL_SRV_CONF_OFFSET, | |
105 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
106 NULL }, | |
107 | |
3960 | 108 { ngx_string("ssl_ecdh_curve"), |
109 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
110 ngx_conf_set_str_slot, | |
111 NGX_MAIL_SRV_CONF_OFFSET, | |
112 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
113 NULL }, | |
114 | |
547 | 115 { ngx_string("ssl_protocols"), |
1136 | 116 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 117 ngx_conf_set_bitmask_slot, |
1136 | 118 NGX_MAIL_SRV_CONF_OFFSET, |
119 offsetof(ngx_mail_ssl_conf_t, protocols), | |
120 &ngx_mail_ssl_protocols }, | |
547 | 121 |
539 | 122 { ngx_string("ssl_ciphers"), |
1136 | 123 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 124 ngx_conf_set_str_slot, |
1136 | 125 NGX_MAIL_SRV_CONF_OFFSET, |
126 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 127 NULL }, |
128 | |
547 | 129 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 130 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 131 ngx_conf_set_flag_slot, |
1136 | 132 NGX_MAIL_SRV_CONF_OFFSET, |
133 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 134 NULL }, |
563 | 135 |
976 | 136 { ngx_string("ssl_session_cache"), |
1136 | 137 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
138 ngx_mail_ssl_session_cache, | |
139 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 140 0, |
141 NULL }, | |
142 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
144 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
145 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
146 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
147 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
148 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
149 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
151 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
152 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
153 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
154 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
155 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
156 |
573 | 157 { ngx_string("ssl_session_timeout"), |
1136 | 158 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 159 ngx_conf_set_sec_slot, |
1136 | 160 NGX_MAIL_SRV_CONF_OFFSET, |
161 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 162 NULL }, |
547 | 163 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 { ngx_string("ssl_verify_client"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 ngx_conf_set_enum_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 offsetof(ngx_mail_ssl_conf_t, verify), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 &ngx_mail_ssl_verify }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 { ngx_string("ssl_verify_depth"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 ngx_conf_set_num_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 { ngx_string("ssl_client_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 { ngx_string("ssl_trusted_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 { ngx_string("ssl_crl"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
193 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
194 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
195 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
196 offsetof(ngx_mail_ssl_conf_t, crl), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
197 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
198 |
539 | 199 ngx_null_command |
200 }; | |
201 | |
202 | |
1136 | 203 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
204 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
205 |
539 | 206 NULL, /* create main configuration */ |
207 NULL, /* init main configuration */ | |
208 | |
1136 | 209 ngx_mail_ssl_create_conf, /* create server configuration */ |
210 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 211 }; |
212 | |
213 | |
1136 | 214 ngx_module_t ngx_mail_ssl_module = { |
539 | 215 NGX_MODULE_V1, |
1136 | 216 &ngx_mail_ssl_module_ctx, /* module context */ |
217 ngx_mail_ssl_commands, /* module directives */ | |
218 NGX_MAIL_MODULE, /* module type */ | |
541 | 219 NULL, /* init master */ |
539 | 220 NULL, /* init module */ |
541 | 221 NULL, /* init process */ |
222 NULL, /* init thread */ | |
223 NULL, /* exit thread */ | |
224 NULL, /* exit process */ | |
225 NULL, /* exit master */ | |
226 NGX_MODULE_V1_PADDING | |
539 | 227 }; |
228 | |
229 | |
1136 | 230 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 231 |
232 | |
539 | 233 static void * |
1136 | 234 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 235 { |
1136 | 236 ngx_mail_ssl_conf_t *scf; |
577 | 237 |
1136 | 238 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 239 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
240 return NULL; |
539 | 241 } |
242 | |
243 /* | |
577 | 244 * set by ngx_pcalloc(): |
539 | 245 * |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
246 * scf->listen = 0; |
547 | 247 * scf->protocols = 0; |
2044 | 248 * scf->dhparam = { 0, NULL }; |
3960 | 249 * scf->ecdh_curve = { 0, NULL }; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
250 * scf->client_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
251 * scf->trusted_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
252 * scf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
253 * scf->ciphers = { 0, NULL }; |
976 | 254 * scf->shm_zone = NULL; |
539 | 255 */ |
256 | |
257 scf->enable = NGX_CONF_UNSET; | |
2759 | 258 scf->starttls = NGX_CONF_UNSET_UINT; |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
259 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
260 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
261 scf->passwords = NGX_CONF_UNSET_PTR; |
976 | 262 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
263 scf->verify = NGX_CONF_UNSET_UINT; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
264 scf->verify_depth = NGX_CONF_UNSET_UINT; |
976 | 265 scf->builtin_session_cache = NGX_CONF_UNSET; |
573 | 266 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
267 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
268 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 269 |
270 return scf; | |
271 } | |
272 | |
273 | |
274 static char * | |
1136 | 275 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 276 { |
1136 | 277 ngx_mail_ssl_conf_t *prev = parent; |
278 ngx_mail_ssl_conf_t *conf = child; | |
539 | 279 |
2224 | 280 char *mode; |
563 | 281 ngx_pool_cleanup_t *cln; |
282 | |
539 | 283 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
2224 | 284 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
285 NGX_MAIL_STARTTLS_OFF); | |
539 | 286 |
573 | 287 ngx_conf_merge_value(conf->session_timeout, |
288 prev->session_timeout, 300); | |
289 | |
547 | 290 ngx_conf_merge_value(conf->prefer_server_ciphers, |
291 prev->prefer_server_ciphers, 0); | |
292 | |
293 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
294 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
295 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 296 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
297 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
298 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
299 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
300 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
301 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
302 NULL); |
539 | 303 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
304 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
305 |
2044 | 306 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
307 | |
3960 | 308 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
309 NGX_DEFAULT_ECDH_CURVE); | |
310 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
311 ngx_conf_merge_str_value(conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
312 prev->client_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
313 ngx_conf_merge_str_value(conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
314 prev->trusted_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
315 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
316 |
2124 | 317 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 318 |
319 | |
547 | 320 conf->ssl.log = cf->log; |
539 | 321 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
322 if (conf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
323 mode = "listen ... ssl"; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
324 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
325 } else if (conf->enable) { |
6474 | 326 mode = "ssl"; |
2224 | 327 |
328 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
6474 | 329 mode = "starttls"; |
2224 | 330 |
331 } else { | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
332 return NGX_CONF_OK; |
2224 | 333 } |
334 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
335 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
336 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
337 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
338 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
339 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
340 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
341 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
342 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
343 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
344 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
345 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
346 } |
2224 | 347 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
348 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
349 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
350 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
351 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
352 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
353 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
354 } |
2224 | 355 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
356 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
357 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
358 "no \"ssl_certificate_key\" is defined " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
359 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
360 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
361 ((ngx_str_t *) conf->certificates->elts) |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
362 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
363 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
364 return NGX_CONF_ERROR; |
2224 | 365 } |
366 | |
969 | 367 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 368 return NGX_CONF_ERROR; |
369 } | |
370 | |
563 | 371 cln = ngx_pool_cleanup_add(cf->pool, 0); |
372 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
373 ngx_ssl_cleanup_ctx(&conf->ssl); |
539 | 374 return NGX_CONF_ERROR; |
375 } | |
376 | |
563 | 377 cln->handler = ngx_ssl_cleanup_ctx; |
378 cln->data = &conf->ssl; | |
379 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
380 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
381 conf->certificate_keys, conf->passwords) |
563 | 382 != NGX_OK) |
547 | 383 { |
384 return NGX_CONF_ERROR; | |
385 } | |
539 | 386 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
387 if (conf->verify) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
388 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
389 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
390 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
391 "no ssl_client_certificate for ssl_client_verify"); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
392 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
393 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
394 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
395 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
396 &conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
397 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
398 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
399 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
400 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
401 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
402 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
403 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 &conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
408 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
410 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
411 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
412 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
413 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
414 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
415 |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
416 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
417 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
418 != NGX_OK) |
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
419 { |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
420 return NGX_CONF_ERROR; |
539 | 421 } |
422 | |
2044 | 423 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
424 return NGX_CONF_ERROR; | |
425 } | |
426 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
427 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
428 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
429 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
430 |
976 | 431 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 432 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 433 |
434 if (conf->shm_zone == NULL) { | |
435 conf->shm_zone = prev->shm_zone; | |
436 } | |
539 | 437 |
1136 | 438 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
439 conf->certificates, conf->builtin_session_cache, |
976 | 440 conf->shm_zone, conf->session_timeout) |
441 != NGX_OK) | |
442 { | |
443 return NGX_CONF_ERROR; | |
444 } | |
573 | 445 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
446 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
447 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
448 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
449 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
450 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
451 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
452 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
453 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
454 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
455 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
456 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
457 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
458 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
459 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
460 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
461 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
462 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
463 |
539 | 464 return NGX_CONF_OK; |
465 } | |
563 | 466 |
577 | 467 |
976 | 468 static char * |
2224 | 469 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
470 { | |
471 ngx_mail_ssl_conf_t *scf = conf; | |
472 | |
473 char *rv; | |
474 | |
475 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
476 | |
477 if (rv != NGX_CONF_OK) { | |
478 return rv; | |
479 } | |
480 | |
481 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
482 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 483 "\"starttls\" directive conflicts with \"ssl on\""); |
484 return NGX_CONF_ERROR; | |
485 } | |
486 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
487 if (!scf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
488 scf->file = cf->conf_file->file.name.data; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
489 scf->line = cf->conf_file->line; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
490 } |
2224 | 491 |
492 return NGX_CONF_OK; | |
493 } | |
494 | |
495 | |
496 static char * | |
497 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
498 { | |
499 ngx_mail_ssl_conf_t *scf = conf; | |
500 | |
501 char *rv; | |
502 | |
503 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
504 | |
505 if (rv != NGX_CONF_OK) { | |
506 return rv; | |
507 } | |
508 | |
509 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
510 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 511 "\"ssl\" directive conflicts with \"starttls\""); |
512 return NGX_CONF_ERROR; | |
513 } | |
514 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
515 if (!scf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
516 scf->file = cf->conf_file->file.name.data; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
517 scf->line = cf->conf_file->line; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
518 } |
2224 | 519 |
520 return NGX_CONF_OK; | |
521 } | |
522 | |
523 | |
524 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
525 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
526 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
527 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
528 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
529 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
530 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
531 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
532 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
533 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
534 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
535 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
536 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
537 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
538 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
539 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
540 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
541 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
542 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
543 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
544 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
545 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
547 static char * |
1136 | 548 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 549 { |
1136 | 550 ngx_mail_ssl_conf_t *scf = conf; |
976 | 551 |
552 size_t len; | |
553 ngx_str_t *value, name, size; | |
554 ngx_int_t n; | |
555 ngx_uint_t i, j; | |
556 | |
557 value = cf->args->elts; | |
558 | |
559 for (i = 1; i < cf->args->nelts; i++) { | |
560 | |
1778 | 561 if (ngx_strcmp(value[i].data, "off") == 0) { |
562 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
563 continue; | |
564 } | |
565 | |
2032 | 566 if (ngx_strcmp(value[i].data, "none") == 0) { |
567 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
568 continue; | |
569 } | |
570 | |
976 | 571 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
572 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
573 continue; | |
574 } | |
575 | |
576 if (value[i].len > sizeof("builtin:") - 1 | |
577 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
578 == 0) | |
579 { | |
580 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
581 value[i].len - (sizeof("builtin:") - 1)); | |
582 | |
583 if (n == NGX_ERROR) { | |
584 goto invalid; | |
585 } | |
586 | |
587 scf->builtin_session_cache = n; | |
588 | |
589 continue; | |
590 } | |
591 | |
592 if (value[i].len > sizeof("shared:") - 1 | |
593 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
594 == 0) | |
595 { | |
596 len = 0; | |
597 | |
598 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
599 if (value[i].data[j] == ':') { | |
600 break; | |
601 } | |
602 | |
603 len++; | |
604 } | |
605 | |
606 if (len == 0) { | |
607 goto invalid; | |
608 } | |
609 | |
610 name.len = len; | |
611 name.data = value[i].data + sizeof("shared:") - 1; | |
612 | |
613 size.len = value[i].len - j - 1; | |
614 size.data = name.data + len + 1; | |
615 | |
616 n = ngx_parse_size(&size); | |
617 | |
618 if (n == NGX_ERROR) { | |
619 goto invalid; | |
620 } | |
621 | |
622 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
623 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
624 "session cache \"%V\" is too small", | |
625 &value[i]); | |
626 | |
627 return NGX_CONF_ERROR; | |
628 } | |
629 | |
630 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 631 &ngx_mail_ssl_module); |
976 | 632 if (scf->shm_zone == NULL) { |
633 return NGX_CONF_ERROR; | |
634 } | |
635 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
636 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
637 |
976 | 638 continue; |
639 } | |
640 | |
641 goto invalid; | |
642 } | |
643 | |
644 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
645 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
646 } | |
647 | |
648 return NGX_CONF_OK; | |
649 | |
650 invalid: | |
651 | |
652 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
653 "invalid session cache \"%V\"", &value[i]); | |
654 | |
655 return NGX_CONF_ERROR; | |
656 } |