Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 8869:f8f6b9fee66a
FastCGI: combining headers with identical names (ticket #1724).
FastCGI responder is expected to receive CGI/1.1 environment variables
in the parameters (see section "6.2 Responder" of the FastCGI specification).
Obviously enough, there cannot be multiple environment variables with
the same name.
Further, CGI specification (RFC 3875, section "4.1.18. Protocol-Specific
Meta-Variables") explicitly requires to combine headers: "If multiple
header fields with the same field-name are received then the server MUST
rewrite them as a single value having the same semantics".
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 30 May 2022 21:25:27 +0300 |
parents | dc955d274130 |
children | e32b48848add |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
539 | 15 |
16 | |
8662
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
17 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
18 static int ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
19 const unsigned char **out, unsigned char *outlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
20 const unsigned char *in, unsigned int inlen, void *arg); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
21 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
22 |
1136 | 23 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
24 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 25 |
26 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
27 void *conf); | |
28 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
29 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
30 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
31 void *conf); |
1136 | 32 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 33 void *conf); |
539 | 34 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
35 static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
36 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
37 |
539 | 38 |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
39 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 40 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
41 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
42 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 43 { ngx_null_string, 0 } |
44 }; | |
45 | |
46 | |
47 | |
1136 | 48 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 49 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
50 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
51 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
52 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
53 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6699
diff
changeset
|
54 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 55 { ngx_null_string, 0 } |
56 }; | |
57 | |
58 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
59 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
60 { ngx_string("off"), 0 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
61 { ngx_string("on"), 1 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
62 { ngx_string("optional"), 2 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
63 { ngx_string("optional_no_ca"), 3 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
64 { ngx_null_string, 0 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
65 }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
66 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
67 |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
68 static ngx_conf_deprecated_t ngx_mail_ssl_deprecated = { |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
69 ngx_conf_deprecated, "ssl", "listen ... ssl" |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
70 }; |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
71 |
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
72 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
73 static ngx_conf_post_t ngx_mail_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
74 { ngx_mail_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
75 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
76 |
1136 | 77 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 78 |
79 { ngx_string("ssl"), | |
1136 | 80 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
2224 | 81 ngx_mail_ssl_enable, |
1136 | 82 NGX_MAIL_SRV_CONF_OFFSET, |
83 offsetof(ngx_mail_ssl_conf_t, enable), | |
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
84 &ngx_mail_ssl_deprecated }, |
539 | 85 |
583 | 86 { ngx_string("starttls"), |
1136 | 87 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 88 ngx_mail_ssl_starttls, |
1136 | 89 NGX_MAIL_SRV_CONF_OFFSET, |
90 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
91 ngx_mail_starttls_state }, |
583 | 92 |
539 | 93 { ngx_string("ssl_certificate"), |
1136 | 94 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
95 ngx_conf_set_str_array_slot, |
1136 | 96 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
97 offsetof(ngx_mail_ssl_conf_t, certificates), |
539 | 98 NULL }, |
99 | |
100 { ngx_string("ssl_certificate_key"), | |
1136 | 101 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
102 ngx_conf_set_str_array_slot, |
1136 | 103 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
104 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
539 | 105 NULL }, |
106 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
107 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
108 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
109 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
110 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
111 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
112 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
113 |
2044 | 114 { ngx_string("ssl_dhparam"), |
115 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
116 ngx_conf_set_str_slot, | |
117 NGX_MAIL_SRV_CONF_OFFSET, | |
118 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
119 NULL }, | |
120 | |
3960 | 121 { ngx_string("ssl_ecdh_curve"), |
122 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
123 ngx_conf_set_str_slot, | |
124 NGX_MAIL_SRV_CONF_OFFSET, | |
125 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
126 NULL }, | |
127 | |
547 | 128 { ngx_string("ssl_protocols"), |
1136 | 129 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 130 ngx_conf_set_bitmask_slot, |
1136 | 131 NGX_MAIL_SRV_CONF_OFFSET, |
132 offsetof(ngx_mail_ssl_conf_t, protocols), | |
133 &ngx_mail_ssl_protocols }, | |
547 | 134 |
539 | 135 { ngx_string("ssl_ciphers"), |
1136 | 136 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 137 ngx_conf_set_str_slot, |
1136 | 138 NGX_MAIL_SRV_CONF_OFFSET, |
139 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 140 NULL }, |
141 | |
547 | 142 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 143 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 144 ngx_conf_set_flag_slot, |
1136 | 145 NGX_MAIL_SRV_CONF_OFFSET, |
146 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 147 NULL }, |
563 | 148 |
976 | 149 { ngx_string("ssl_session_cache"), |
1136 | 150 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
151 ngx_mail_ssl_session_cache, | |
152 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 153 0, |
154 NULL }, | |
155 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
156 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
157 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
158 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
159 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
160 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
161 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
162 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
163 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
164 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
165 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
166 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
167 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
168 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
169 |
573 | 170 { ngx_string("ssl_session_timeout"), |
1136 | 171 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 172 ngx_conf_set_sec_slot, |
1136 | 173 NGX_MAIL_SRV_CONF_OFFSET, |
174 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 175 NULL }, |
547 | 176 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 { ngx_string("ssl_verify_client"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 ngx_conf_set_enum_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 offsetof(ngx_mail_ssl_conf_t, verify), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 &ngx_mail_ssl_verify }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 { ngx_string("ssl_verify_depth"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 ngx_conf_set_num_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 { ngx_string("ssl_client_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
193 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
194 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
195 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
196 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
197 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
198 { ngx_string("ssl_trusted_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
199 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
200 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
201 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
202 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
203 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
204 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
205 { ngx_string("ssl_crl"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
206 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
207 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
208 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
209 offsetof(ngx_mail_ssl_conf_t, crl), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
210 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
211 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
212 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
213 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
214 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
215 NGX_MAIL_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
216 offsetof(ngx_mail_ssl_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
217 &ngx_mail_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
218 |
539 | 219 ngx_null_command |
220 }; | |
221 | |
222 | |
1136 | 223 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
224 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
225 |
539 | 226 NULL, /* create main configuration */ |
227 NULL, /* init main configuration */ | |
228 | |
1136 | 229 ngx_mail_ssl_create_conf, /* create server configuration */ |
230 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 231 }; |
232 | |
233 | |
1136 | 234 ngx_module_t ngx_mail_ssl_module = { |
539 | 235 NGX_MODULE_V1, |
1136 | 236 &ngx_mail_ssl_module_ctx, /* module context */ |
237 ngx_mail_ssl_commands, /* module directives */ | |
238 NGX_MAIL_MODULE, /* module type */ | |
541 | 239 NULL, /* init master */ |
539 | 240 NULL, /* init module */ |
541 | 241 NULL, /* init process */ |
242 NULL, /* init thread */ | |
243 NULL, /* exit thread */ | |
244 NULL, /* exit process */ | |
245 NULL, /* exit master */ | |
246 NGX_MODULE_V1_PADDING | |
539 | 247 }; |
248 | |
249 | |
1136 | 250 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 251 |
252 | |
8662
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
253 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
254 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
255 static int |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
256 ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
257 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
258 void *arg) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
259 { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
260 unsigned int srvlen; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
261 unsigned char *srv; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
262 ngx_connection_t *c; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
263 ngx_mail_session_t *s; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
264 ngx_mail_core_srv_conf_t *cscf; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
265 #if (NGX_DEBUG) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
266 unsigned int i; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
267 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
268 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
269 c = ngx_ssl_get_connection(ssl_conn); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
270 s = c->data; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
271 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
272 #if (NGX_DEBUG) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
273 for (i = 0; i < inlen; i += in[i] + 1) { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
274 ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
275 "SSL ALPN supported by client: %*s", |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
276 (size_t) in[i], &in[i + 1]); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
277 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
278 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
279 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
280 cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
281 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
282 srv = cscf->protocol->alpn.data; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
283 srvlen = cscf->protocol->alpn.len; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
284 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
285 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
286 in, inlen) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
287 != OPENSSL_NPN_NEGOTIATED) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
288 { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
289 return SSL_TLSEXT_ERR_ALERT_FATAL; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
290 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
291 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
292 ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
293 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
294 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
295 return SSL_TLSEXT_ERR_OK; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
296 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
297 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
298 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
299 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
300 |
539 | 301 static void * |
1136 | 302 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 303 { |
1136 | 304 ngx_mail_ssl_conf_t *scf; |
577 | 305 |
1136 | 306 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 307 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
308 return NULL; |
539 | 309 } |
310 | |
311 /* | |
577 | 312 * set by ngx_pcalloc(): |
539 | 313 * |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
314 * scf->listen = 0; |
547 | 315 * scf->protocols = 0; |
2044 | 316 * scf->dhparam = { 0, NULL }; |
3960 | 317 * scf->ecdh_curve = { 0, NULL }; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
318 * scf->client_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
319 * scf->trusted_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
320 * scf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
321 * scf->ciphers = { 0, NULL }; |
976 | 322 * scf->shm_zone = NULL; |
539 | 323 */ |
324 | |
325 scf->enable = NGX_CONF_UNSET; | |
2759 | 326 scf->starttls = NGX_CONF_UNSET_UINT; |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
327 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
328 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
329 scf->passwords = NGX_CONF_UNSET_PTR; |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
330 scf->conf_commands = NGX_CONF_UNSET_PTR; |
976 | 331 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
332 scf->verify = NGX_CONF_UNSET_UINT; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
333 scf->verify_depth = NGX_CONF_UNSET_UINT; |
976 | 334 scf->builtin_session_cache = NGX_CONF_UNSET; |
573 | 335 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
336 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
337 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 338 |
339 return scf; | |
340 } | |
341 | |
342 | |
343 static char * | |
1136 | 344 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 345 { |
1136 | 346 ngx_mail_ssl_conf_t *prev = parent; |
347 ngx_mail_ssl_conf_t *conf = child; | |
539 | 348 |
2224 | 349 char *mode; |
563 | 350 ngx_pool_cleanup_t *cln; |
351 | |
539 | 352 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
2224 | 353 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
354 NGX_MAIL_STARTTLS_OFF); | |
539 | 355 |
573 | 356 ngx_conf_merge_value(conf->session_timeout, |
357 prev->session_timeout, 300); | |
358 | |
547 | 359 ngx_conf_merge_value(conf->prefer_server_ciphers, |
360 prev->prefer_server_ciphers, 0); | |
361 | |
362 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
363 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
364 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 365 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
366 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
367 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
368 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
369 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
370 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
371 NULL); |
539 | 372 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
373 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
374 |
2044 | 375 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
376 | |
3960 | 377 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
378 NGX_DEFAULT_ECDH_CURVE); | |
379 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
380 ngx_conf_merge_str_value(conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
381 prev->client_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
382 ngx_conf_merge_str_value(conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
383 prev->trusted_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
384 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
385 |
2124 | 386 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 387 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
388 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
389 |
539 | 390 |
547 | 391 conf->ssl.log = cf->log; |
539 | 392 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
393 if (conf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
394 mode = "listen ... ssl"; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
395 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
396 } else if (conf->enable) { |
6474 | 397 mode = "ssl"; |
2224 | 398 |
399 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
6474 | 400 mode = "starttls"; |
2224 | 401 |
402 } else { | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
403 return NGX_CONF_OK; |
2224 | 404 } |
405 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
406 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
407 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
408 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
409 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
410 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
411 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
412 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
413 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
414 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
415 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
416 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
417 } |
2224 | 418 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
419 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
420 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
421 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
422 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
423 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
424 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
425 } |
2224 | 426 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
427 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
428 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
429 "no \"ssl_certificate_key\" is defined " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
430 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
431 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
432 ((ngx_str_t *) conf->certificates->elts) |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
433 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
434 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
435 return NGX_CONF_ERROR; |
2224 | 436 } |
437 | |
969 | 438 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 439 return NGX_CONF_ERROR; |
440 } | |
441 | |
563 | 442 cln = ngx_pool_cleanup_add(cf->pool, 0); |
443 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
444 ngx_ssl_cleanup_ctx(&conf->ssl); |
539 | 445 return NGX_CONF_ERROR; |
446 } | |
447 | |
563 | 448 cln->handler = ngx_ssl_cleanup_ctx; |
449 cln->data = &conf->ssl; | |
450 | |
8662
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
451 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
452 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
453 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
8578
diff
changeset
|
454 |
8578
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
455 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
456 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
457 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
458 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
459 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
460 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8336
diff
changeset
|
461 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
462 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
463 conf->certificate_keys, conf->passwords) |
563 | 464 != NGX_OK) |
547 | 465 { |
466 return NGX_CONF_ERROR; | |
467 } | |
539 | 468 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
469 if (conf->verify) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
470 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
471 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
472 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
473 "no ssl_client_certificate for ssl_verify_client"); |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
474 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
475 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
476 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
477 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
478 &conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
479 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
480 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
481 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
482 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
483 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
484 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
485 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
486 &conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
487 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
488 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
489 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
490 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
491 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
492 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
493 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
494 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
495 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
496 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
497 |
2044 | 498 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
499 return NGX_CONF_ERROR; | |
500 } | |
501 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
502 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
503 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
504 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
505 |
976 | 506 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 507 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 508 |
509 if (conf->shm_zone == NULL) { | |
510 conf->shm_zone = prev->shm_zone; | |
511 } | |
539 | 512 |
1136 | 513 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
514 conf->certificates, conf->builtin_session_cache, |
976 | 515 conf->shm_zone, conf->session_timeout) |
516 != NGX_OK) | |
517 { | |
518 return NGX_CONF_ERROR; | |
519 } | |
573 | 520 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
521 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
522 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
523 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
524 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
525 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
526 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
527 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
528 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
529 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
530 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
531 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
532 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
533 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
534 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
535 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
536 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
537 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
538 |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
539 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
540 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
541 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
542 |
539 | 543 return NGX_CONF_OK; |
544 } | |
563 | 545 |
577 | 546 |
976 | 547 static char * |
2224 | 548 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
549 { | |
550 ngx_mail_ssl_conf_t *scf = conf; | |
551 | |
552 char *rv; | |
553 | |
554 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
555 | |
556 if (rv != NGX_CONF_OK) { | |
557 return rv; | |
558 } | |
559 | |
560 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
561 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 562 "\"starttls\" directive conflicts with \"ssl on\""); |
563 return NGX_CONF_ERROR; | |
564 } | |
565 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
566 if (!scf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
567 scf->file = cf->conf_file->file.name.data; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
568 scf->line = cf->conf_file->line; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
569 } |
2224 | 570 |
571 return NGX_CONF_OK; | |
572 } | |
573 | |
574 | |
575 static char * | |
576 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
577 { | |
578 ngx_mail_ssl_conf_t *scf = conf; | |
579 | |
580 char *rv; | |
581 | |
582 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
583 | |
584 if (rv != NGX_CONF_OK) { | |
585 return rv; | |
586 } | |
587 | |
588 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
589 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 590 "\"ssl\" directive conflicts with \"starttls\""); |
591 return NGX_CONF_ERROR; | |
592 } | |
593 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
594 if (!scf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
595 scf->file = cf->conf_file->file.name.data; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
596 scf->line = cf->conf_file->line; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
597 } |
2224 | 598 |
599 return NGX_CONF_OK; | |
600 } | |
601 | |
602 | |
603 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
604 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
605 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
606 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
607 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
608 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
609 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
610 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
611 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
612 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
613 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
614 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
615 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
616 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
617 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
618 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
619 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
620 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
621 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
622 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
623 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
624 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
625 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
626 static char * |
1136 | 627 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 628 { |
1136 | 629 ngx_mail_ssl_conf_t *scf = conf; |
976 | 630 |
631 size_t len; | |
632 ngx_str_t *value, name, size; | |
633 ngx_int_t n; | |
634 ngx_uint_t i, j; | |
635 | |
636 value = cf->args->elts; | |
637 | |
638 for (i = 1; i < cf->args->nelts; i++) { | |
639 | |
1778 | 640 if (ngx_strcmp(value[i].data, "off") == 0) { |
641 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
642 continue; | |
643 } | |
644 | |
2032 | 645 if (ngx_strcmp(value[i].data, "none") == 0) { |
646 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
647 continue; | |
648 } | |
649 | |
976 | 650 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
651 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
652 continue; | |
653 } | |
654 | |
655 if (value[i].len > sizeof("builtin:") - 1 | |
656 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
657 == 0) | |
658 { | |
659 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
660 value[i].len - (sizeof("builtin:") - 1)); | |
661 | |
662 if (n == NGX_ERROR) { | |
663 goto invalid; | |
664 } | |
665 | |
666 scf->builtin_session_cache = n; | |
667 | |
668 continue; | |
669 } | |
670 | |
671 if (value[i].len > sizeof("shared:") - 1 | |
672 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
673 == 0) | |
674 { | |
675 len = 0; | |
676 | |
677 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
678 if (value[i].data[j] == ':') { | |
679 break; | |
680 } | |
681 | |
682 len++; | |
683 } | |
684 | |
685 if (len == 0) { | |
686 goto invalid; | |
687 } | |
688 | |
689 name.len = len; | |
690 name.data = value[i].data + sizeof("shared:") - 1; | |
691 | |
692 size.len = value[i].len - j - 1; | |
693 size.data = name.data + len + 1; | |
694 | |
695 n = ngx_parse_size(&size); | |
696 | |
697 if (n == NGX_ERROR) { | |
698 goto invalid; | |
699 } | |
700 | |
701 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
702 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
703 "session cache \"%V\" is too small", | |
704 &value[i]); | |
705 | |
706 return NGX_CONF_ERROR; | |
707 } | |
708 | |
709 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 710 &ngx_mail_ssl_module); |
976 | 711 if (scf->shm_zone == NULL) { |
712 return NGX_CONF_ERROR; | |
713 } | |
714 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
715 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
716 |
976 | 717 continue; |
718 } | |
719 | |
720 goto invalid; | |
721 } | |
722 | |
723 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
724 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
725 } | |
726 | |
727 return NGX_CONF_OK; | |
728 | |
729 invalid: | |
730 | |
731 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
732 "invalid session cache \"%V\"", &value[i]); | |
733 | |
734 return NGX_CONF_ERROR; | |
735 } | |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
736 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
737 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
738 static char * |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
739 ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
740 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
741 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
742 return "is not supported on this platform"; |
8336
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
743 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
744 return NGX_CONF_OK; |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
745 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
746 } |