Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 6015:e11a8e7e8e0c
Configure: fixed type max value detection.
The code tried to use suffixes for "long" and "long long" types, but
it never worked as intended due to the bug in the shell code. Also,
the max value for any 64-bit type other than "long long" on platforms
with 32-bit "long" would be incorrect if the bug was fixed.
So instead of fixing the bug in the shell code, always use the "int"
constant for 32-bit types, and "long long" constant for 64-bit types.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Wed, 18 Mar 2015 02:04:39 +0300 |
| parents | ec01b1d1fff1 |
| children | a84267233877 |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
| 14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
| 1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 27 void *conf); |
| 539 | 28 |
| 29 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 34 { ngx_null_string, 0 } |
| 35 }; | |
| 36 | |
| 37 | |
| 38 | |
| 1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| 547 | 45 { ngx_null_string, 0 } |
| 46 }; | |
| 47 | |
| 48 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
49 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
50 { ngx_string("off"), 0 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
51 { ngx_string("on"), 1 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
52 { ngx_string("optional"), 2 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 { ngx_string("optional_no_ca"), 3 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_null_string, 0 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 |
| 1136 | 58 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 59 |
| 60 { ngx_string("ssl"), | |
| 1136 | 61 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 62 ngx_mail_ssl_enable, |
| 1136 | 63 NGX_MAIL_SRV_CONF_OFFSET, |
| 64 offsetof(ngx_mail_ssl_conf_t, enable), | |
| 539 | 65 NULL }, |
| 66 | |
| 583 | 67 { ngx_string("starttls"), |
| 1136 | 68 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 69 ngx_mail_ssl_starttls, |
| 1136 | 70 NGX_MAIL_SRV_CONF_OFFSET, |
| 71 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
72 ngx_mail_starttls_state }, |
| 583 | 73 |
| 539 | 74 { ngx_string("ssl_certificate"), |
| 1136 | 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 76 ngx_conf_set_str_slot, |
| 1136 | 77 NGX_MAIL_SRV_CONF_OFFSET, |
| 78 offsetof(ngx_mail_ssl_conf_t, certificate), | |
| 539 | 79 NULL }, |
| 80 | |
| 81 { ngx_string("ssl_certificate_key"), | |
| 1136 | 82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 83 ngx_conf_set_str_slot, |
| 1136 | 84 NGX_MAIL_SRV_CONF_OFFSET, |
| 85 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
| 539 | 86 NULL }, |
| 87 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
88 { ngx_string("ssl_password_file"), |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
90 ngx_mail_ssl_password_file, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
91 NGX_MAIL_SRV_CONF_OFFSET, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
92 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
93 NULL }, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 |
| 2044 | 95 { ngx_string("ssl_dhparam"), |
| 96 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 97 ngx_conf_set_str_slot, | |
| 98 NGX_MAIL_SRV_CONF_OFFSET, | |
| 99 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 100 NULL }, | |
| 101 | |
| 3960 | 102 { ngx_string("ssl_ecdh_curve"), |
| 103 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 104 ngx_conf_set_str_slot, | |
| 105 NGX_MAIL_SRV_CONF_OFFSET, | |
| 106 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 107 NULL }, | |
| 108 | |
| 547 | 109 { ngx_string("ssl_protocols"), |
| 1136 | 110 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 111 ngx_conf_set_bitmask_slot, |
| 1136 | 112 NGX_MAIL_SRV_CONF_OFFSET, |
| 113 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 114 &ngx_mail_ssl_protocols }, | |
| 547 | 115 |
| 539 | 116 { ngx_string("ssl_ciphers"), |
| 1136 | 117 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 118 ngx_conf_set_str_slot, |
| 1136 | 119 NGX_MAIL_SRV_CONF_OFFSET, |
| 120 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 121 NULL }, |
| 122 | |
| 547 | 123 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 124 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 125 ngx_conf_set_flag_slot, |
| 1136 | 126 NGX_MAIL_SRV_CONF_OFFSET, |
| 127 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 128 NULL }, |
| 563 | 129 |
| 976 | 130 { ngx_string("ssl_session_cache"), |
| 1136 | 131 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 132 ngx_mail_ssl_session_cache, | |
| 133 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 134 0, |
| 135 NULL }, | |
| 136 | |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
137 { ngx_string("ssl_session_tickets"), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
138 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
139 ngx_conf_set_flag_slot, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
140 NGX_MAIL_SRV_CONF_OFFSET, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
141 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
142 NULL }, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
144 { ngx_string("ssl_session_ticket_key"), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
145 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
146 ngx_conf_set_str_array_slot, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
147 NGX_MAIL_SRV_CONF_OFFSET, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
148 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
149 NULL }, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 |
| 573 | 151 { ngx_string("ssl_session_timeout"), |
| 1136 | 152 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 153 ngx_conf_set_sec_slot, |
| 1136 | 154 NGX_MAIL_SRV_CONF_OFFSET, |
| 155 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 156 NULL }, |
| 547 | 157 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
158 { ngx_string("ssl_verify_client"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
159 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
160 ngx_conf_set_enum_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
161 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
162 offsetof(ngx_mail_ssl_conf_t, verify), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
163 &ngx_mail_ssl_verify }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 { ngx_string("ssl_verify_depth"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 ngx_conf_set_num_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 { ngx_string("ssl_client_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 { ngx_string("ssl_trusted_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 { ngx_string("ssl_crl"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 offsetof(ngx_mail_ssl_conf_t, crl), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 |
| 539 | 193 ngx_null_command |
| 194 }; | |
| 195 | |
| 196 | |
| 1136 | 197 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
198 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
199 |
| 539 | 200 NULL, /* create main configuration */ |
| 201 NULL, /* init main configuration */ | |
| 202 | |
| 1136 | 203 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 204 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 205 }; |
| 206 | |
| 207 | |
| 1136 | 208 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 209 NGX_MODULE_V1, |
| 1136 | 210 &ngx_mail_ssl_module_ctx, /* module context */ |
| 211 ngx_mail_ssl_commands, /* module directives */ | |
| 212 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 213 NULL, /* init master */ |
| 539 | 214 NULL, /* init module */ |
| 541 | 215 NULL, /* init process */ |
| 216 NULL, /* init thread */ | |
| 217 NULL, /* exit thread */ | |
| 218 NULL, /* exit process */ | |
| 219 NULL, /* exit master */ | |
| 220 NGX_MODULE_V1_PADDING | |
| 539 | 221 }; |
| 222 | |
| 223 | |
| 1136 | 224 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 225 |
| 226 | |
| 539 | 227 static void * |
| 1136 | 228 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 229 { |
| 1136 | 230 ngx_mail_ssl_conf_t *scf; |
| 577 | 231 |
| 1136 | 232 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 233 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
234 return NULL; |
| 539 | 235 } |
| 236 | |
| 237 /* | |
| 577 | 238 * set by ngx_pcalloc(): |
| 539 | 239 * |
| 547 | 240 * scf->protocols = 0; |
| 2044 | 241 * scf->certificate = { 0, NULL }; |
| 242 * scf->certificate_key = { 0, NULL }; | |
| 243 * scf->dhparam = { 0, NULL }; | |
| 3960 | 244 * scf->ecdh_curve = { 0, NULL }; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
245 * scf->client_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
246 * scf->trusted_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
247 * scf->crl = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
248 * scf->ciphers = { 0, NULL }; |
| 976 | 249 * scf->shm_zone = NULL; |
| 539 | 250 */ |
| 251 | |
| 252 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 253 scf->starttls = NGX_CONF_UNSET_UINT; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
254 scf->passwords = NGX_CONF_UNSET_PTR; |
| 976 | 255 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
256 scf->verify = NGX_CONF_UNSET_UINT; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
257 scf->verify_depth = NGX_CONF_UNSET_UINT; |
| 976 | 258 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 573 | 259 scf->session_timeout = NGX_CONF_UNSET; |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
260 scf->session_tickets = NGX_CONF_UNSET; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
261 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 539 | 262 |
| 263 return scf; | |
| 264 } | |
| 265 | |
| 266 | |
| 267 static char * | |
| 1136 | 268 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 269 { |
| 1136 | 270 ngx_mail_ssl_conf_t *prev = parent; |
| 271 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 272 |
| 2224 | 273 char *mode; |
| 563 | 274 ngx_pool_cleanup_t *cln; |
| 275 | |
| 539 | 276 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 277 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 278 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 279 |
| 573 | 280 ngx_conf_merge_value(conf->session_timeout, |
| 281 prev->session_timeout, 300); | |
| 282 | |
| 547 | 283 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 284 prev->prefer_server_ciphers, 0); | |
| 285 | |
| 286 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
287 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 289 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
292 |
| 2224 | 293 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
| 294 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
| 539 | 295 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
296 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
297 |
| 2044 | 298 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 299 | |
| 3960 | 300 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 301 NGX_DEFAULT_ECDH_CURVE); | |
| 302 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
303 ngx_conf_merge_str_value(conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
304 prev->client_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
305 ngx_conf_merge_str_value(conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
306 prev->trusted_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
307 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
308 |
| 2124 | 309 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 310 |
| 311 | |
| 547 | 312 conf->ssl.log = cf->log; |
| 539 | 313 |
| 2224 | 314 if (conf->enable) { |
| 315 mode = "ssl"; | |
| 316 | |
| 317 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 318 mode = "starttls"; | |
| 319 | |
| 320 } else { | |
| 321 mode = ""; | |
| 322 } | |
| 323 | |
|
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
324 if (conf->file == NULL) { |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
325 conf->file = prev->file; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
326 conf->line = prev->line; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
327 } |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
328 |
| 2224 | 329 if (*mode) { |
| 330 | |
| 331 if (conf->certificate.len == 0) { | |
| 332 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 333 "no \"ssl_certificate\" is defined for " | |
| 334 "the \"%s\" directive in %s:%ui", | |
| 335 mode, conf->file, conf->line); | |
| 336 return NGX_CONF_ERROR; | |
| 337 } | |
| 338 | |
| 339 if (conf->certificate_key.len == 0) { | |
| 340 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 341 "no \"ssl_certificate_key\" is defined for " | |
| 342 "the \"%s\" directive in %s:%ui", | |
| 343 mode, conf->file, conf->line); | |
| 344 return NGX_CONF_ERROR; | |
| 345 } | |
| 346 | |
| 347 } else { | |
| 348 | |
| 349 if (conf->certificate.len == 0) { | |
| 350 return NGX_CONF_OK; | |
| 351 } | |
| 352 | |
| 353 if (conf->certificate_key.len == 0) { | |
| 354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 355 "no \"ssl_certificate_key\" is defined " | |
| 356 "for certificate \"%V\"", | |
| 357 &conf->certificate); | |
| 358 return NGX_CONF_ERROR; | |
| 359 } | |
| 360 } | |
| 361 | |
| 969 | 362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 363 return NGX_CONF_ERROR; |
| 364 } | |
| 365 | |
| 563 | 366 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 367 if (cln == NULL) { | |
| 539 | 368 return NGX_CONF_ERROR; |
| 369 } | |
| 370 | |
| 563 | 371 cln->handler = ngx_ssl_cleanup_ctx; |
| 372 cln->data = &conf->ssl; | |
| 373 | |
| 374 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
375 &conf->certificate_key, conf->passwords) |
| 563 | 376 != NGX_OK) |
| 547 | 377 { |
| 378 return NGX_CONF_ERROR; | |
| 379 } | |
| 539 | 380 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
381 if (conf->verify) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
382 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
383 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
384 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
385 "no ssl_client_certificate for ssl_client_verify"); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
386 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
387 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
388 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
389 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
390 &conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
391 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
392 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
393 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
394 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
395 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
396 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
397 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
398 &conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
399 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
400 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
401 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
402 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
403 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
408 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
410 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
411 (const char *) conf->ciphers.data) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
412 == 0) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
413 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
414 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
415 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
416 &conf->ciphers); |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
417 return NGX_CONF_ERROR; |
| 539 | 418 } |
| 419 | |
| 563 | 420 if (conf->prefer_server_ciphers) { |
| 421 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
| 422 } | |
| 423 | |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
424 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
| 539 | 425 |
| 2044 | 426 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 427 return NGX_CONF_ERROR; | |
| 428 } | |
| 429 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
430 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
431 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
432 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
433 |
| 976 | 434 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 435 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 436 |
| 437 if (conf->shm_zone == NULL) { | |
| 438 conf->shm_zone = prev->shm_zone; | |
| 439 } | |
| 539 | 440 |
| 1136 | 441 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
| 976 | 442 conf->builtin_session_cache, |
| 443 conf->shm_zone, conf->session_timeout) | |
| 444 != NGX_OK) | |
| 445 { | |
| 446 return NGX_CONF_ERROR; | |
| 447 } | |
| 573 | 448 |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
449 ngx_conf_merge_value(conf->session_tickets, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
450 prev->session_tickets, 1); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
451 |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
452 #ifdef SSL_OP_NO_TICKET |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
453 if (!conf->session_tickets) { |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
454 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
455 } |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
456 #endif |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
457 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
458 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
459 prev->session_ticket_keys, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
460 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
461 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
462 != NGX_OK) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
463 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
464 return NGX_CONF_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
465 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
466 |
| 539 | 467 return NGX_CONF_OK; |
| 468 } | |
| 563 | 469 |
| 577 | 470 |
| 976 | 471 static char * |
| 2224 | 472 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 473 { | |
| 474 ngx_mail_ssl_conf_t *scf = conf; | |
| 475 | |
| 476 char *rv; | |
| 477 | |
| 478 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 479 | |
| 480 if (rv != NGX_CONF_OK) { | |
| 481 return rv; | |
| 482 } | |
| 483 | |
| 484 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 485 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 486 "\"starttls\" directive conflicts with \"ssl on\""); | |
| 487 return NGX_CONF_ERROR; | |
| 488 } | |
| 489 | |
| 490 scf->file = cf->conf_file->file.name.data; | |
| 491 scf->line = cf->conf_file->line; | |
| 492 | |
| 493 return NGX_CONF_OK; | |
| 494 } | |
| 495 | |
| 496 | |
| 497 static char * | |
| 498 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 499 { | |
| 500 ngx_mail_ssl_conf_t *scf = conf; | |
| 501 | |
| 502 char *rv; | |
| 503 | |
| 504 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 505 | |
| 506 if (rv != NGX_CONF_OK) { | |
| 507 return rv; | |
| 508 } | |
| 509 | |
| 510 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 511 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 512 "\"ssl\" directive conflicts with \"starttls\""); | |
| 513 return NGX_CONF_ERROR; | |
| 514 } | |
| 515 | |
| 516 scf->file = cf->conf_file->file.name.data; | |
| 517 scf->line = cf->conf_file->line; | |
| 518 | |
| 519 return NGX_CONF_OK; | |
| 520 } | |
| 521 | |
| 522 | |
| 523 static char * | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
524 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
525 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
526 ngx_mail_ssl_conf_t *scf = conf; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
527 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
528 ngx_str_t *value; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
529 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
530 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
531 return "is duplicate"; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
532 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
533 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
534 value = cf->args->elts; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
535 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
536 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
537 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
538 if (scf->passwords == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
539 return NGX_CONF_ERROR; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
540 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
541 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
542 return NGX_CONF_OK; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
543 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
544 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
545 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 static char * |
| 1136 | 547 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 548 { |
| 1136 | 549 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 550 |
| 551 size_t len; | |
| 552 ngx_str_t *value, name, size; | |
| 553 ngx_int_t n; | |
| 554 ngx_uint_t i, j; | |
| 555 | |
| 556 value = cf->args->elts; | |
| 557 | |
| 558 for (i = 1; i < cf->args->nelts; i++) { | |
| 559 | |
| 1778 | 560 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 561 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 562 continue; | |
| 563 } | |
| 564 | |
| 2032 | 565 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 566 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 567 continue; | |
| 568 } | |
| 569 | |
| 976 | 570 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 571 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 572 continue; | |
| 573 } | |
| 574 | |
| 575 if (value[i].len > sizeof("builtin:") - 1 | |
| 576 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 577 == 0) | |
| 578 { | |
| 579 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 580 value[i].len - (sizeof("builtin:") - 1)); | |
| 581 | |
| 582 if (n == NGX_ERROR) { | |
| 583 goto invalid; | |
| 584 } | |
| 585 | |
| 586 scf->builtin_session_cache = n; | |
| 587 | |
| 588 continue; | |
| 589 } | |
| 590 | |
| 591 if (value[i].len > sizeof("shared:") - 1 | |
| 592 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 593 == 0) | |
| 594 { | |
| 595 len = 0; | |
| 596 | |
| 597 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 598 if (value[i].data[j] == ':') { | |
| 599 break; | |
| 600 } | |
| 601 | |
| 602 len++; | |
| 603 } | |
| 604 | |
| 605 if (len == 0) { | |
| 606 goto invalid; | |
| 607 } | |
| 608 | |
| 609 name.len = len; | |
| 610 name.data = value[i].data + sizeof("shared:") - 1; | |
| 611 | |
| 612 size.len = value[i].len - j - 1; | |
| 613 size.data = name.data + len + 1; | |
| 614 | |
| 615 n = ngx_parse_size(&size); | |
| 616 | |
| 617 if (n == NGX_ERROR) { | |
| 618 goto invalid; | |
| 619 } | |
| 620 | |
| 621 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 622 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 623 "session cache \"%V\" is too small", | |
| 624 &value[i]); | |
| 625 | |
| 626 return NGX_CONF_ERROR; | |
| 627 } | |
| 628 | |
| 629 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 630 &ngx_mail_ssl_module); |
| 976 | 631 if (scf->shm_zone == NULL) { |
| 632 return NGX_CONF_ERROR; | |
| 633 } | |
| 634 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
635 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
636 |
| 976 | 637 continue; |
| 638 } | |
| 639 | |
| 640 goto invalid; | |
| 641 } | |
| 642 | |
| 643 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 644 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 645 } | |
| 646 | |
| 647 return NGX_CONF_OK; | |
| 648 | |
| 649 invalid: | |
| 650 | |
| 651 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 652 "invalid session cache \"%V\"", &value[i]); | |
| 653 | |
| 654 return NGX_CONF_ERROR; | |
| 655 } |