nginx-quic: src/http/ngx_http_request.c comparison

comparison src/http/ngx_http_request.c @ 4033:4e1a489c26cd

Better handling of various per-server ssl options with SNI. SSL_set_SSL_CTX() doesn't touch values cached within ssl connection structure, it only changes certificates (at least as of now, OpenSSL 1.0.0d and earlier). As a result settings like ssl_verify_client, ssl_verify_depth, ssl_prefer_server_ciphers are only configurable on per-socket basis while with SNI it should be possible to specify them different for two servers listening on the same socket. Workaround is to explicitly re-apply settings we care about from context to ssl connection in servername callback. Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e. with older versions it is not possible to clear ssl_prefer_server_ciphers option if it's set in default server for a socket.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 23 Aug 2011 14:36:31 +0000
parents	07d1aa82899b
children	7ce8f2cde0af

comparison

equal deleted inserted replaced

-:7968f1edbdde
+:4e1a489c26cd
 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
 SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
+/*
+* SSL_set_SSL_CTX() only changes certs as of 1.0.0d
+* adjust other things we care about
+*/
+SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
+SSL_CTX_get_verify_callback(sscf->ssl.ctx));
+SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
+#ifdef SSL_CTRL_CLEAR_OPTIONS
+/* only in 0.9.8m+ */
+SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
+~SSL_CTX_get_options(sscf->ssl.ctx));
+#endif
+SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
 return SSL_TLSEXT_ERR_OK;
 }
 #endif

Mercurial > hg > nginx-quic

comparison src/http/ngx_http_request.c @ 4033:4e1a489c26cd