nginx-quic: src/http/modules/ngx_http_ssl

comparison src/http/modules/ngx_http_ssl_module.c @ 8188:71b7453fb11f quic

Merged with the default branch.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Thu, 29 Oct 2020 14:53:58 +0000
parents	93be5658a250 59e1c73fe02b
children	e0947c952d43

comparison

equal deleted inserted replaced

-:69dc750cf66f
+:71b7453fb11f
 void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
+static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+void *data);
 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
 static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
 static ngx_conf_deprecated_t  ngx_http_ssl_deprecated = {
 ngx_conf_deprecated, "ssl", "listen ... ssl"
 };
+static ngx_conf_post_t  ngx_http_ssl_conf_command_post =
+{ ngx_http_ssl_conf_command_check };
 static ngx_command_t  ngx_http_ssl_commands[] = {
 { ngx_string("ssl"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
 ngx_http_ssl_enable,
 { ngx_string("ssl_early_data"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
 ngx_conf_set_flag_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 offsetof(ngx_http_ssl_srv_conf_t, early_data),
+NULL },
+{ ngx_string("ssl_conf_command"),
+NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
+ngx_conf_set_keyval_slot,
+NGX_HTTP_SRV_CONF_OFFSET,
+offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
+&ngx_http_ssl_conf_command_post },
+{ ngx_string("ssl_reject_handshake"),
+NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ngx_conf_set_flag_slot,
+NGX_HTTP_SRV_CONF_OFFSET,
+offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
 NULL },
 ngx_null_command
 };
 */
 sscf->enable = NGX_CONF_UNSET;
 sscf->prefer_server_ciphers = NGX_CONF_UNSET;
 sscf->early_data = NGX_CONF_UNSET;
+sscf->reject_handshake = NGX_CONF_UNSET;
 sscf->buffer_size = NGX_CONF_UNSET_SIZE;
 sscf->verify = NGX_CONF_UNSET_UINT;
 sscf->verify_depth = NGX_CONF_UNSET_UINT;
 sscf->certificates = NGX_CONF_UNSET_PTR;
 sscf->certificate_keys = NGX_CONF_UNSET_PTR;
 sscf->passwords = NGX_CONF_UNSET_PTR;
+sscf->conf_commands = NGX_CONF_UNSET_PTR;
 sscf->builtin_session_cache = NGX_CONF_UNSET;
 sscf->session_timeout = NGX_CONF_UNSET;
 sscf->session_tickets = NGX_CONF_UNSET;
 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
 sscf->ocsp = NGX_CONF_UNSET_UINT;
 ngx_conf_merge_value(conf->prefer_server_ciphers,
 prev->prefer_server_ciphers, 0);
 ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
+ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
 NGX_DEFAULT_ECDH_CURVE);
 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
 prev->ocsp_cache_zone, NULL);
 conf->ssl.log = cf->log;
 if (conf->enable) {
-if (conf->certificates == NULL) {
+if (conf->certificates) {
+if (conf->certificate_keys == NULL) {
+ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+"no \"ssl_certificate_key\" is defined for "
+"the \"ssl\" directive in %s:%ui",
+conf->file, conf->line);
+return NGX_CONF_ERROR;
+}
+if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+"no \"ssl_certificate_key\" is defined "
+"for certificate \"%V\" and "
+"the \"ssl\" directive in %s:%ui",
+((ngx_str_t *) conf->certificates->elts)
++ conf->certificates->nelts - 1,
+conf->file, conf->line);
+return NGX_CONF_ERROR;
+}
+} else if (!conf->reject_handshake) {
 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 "no \"ssl_certificate\" is defined for "
 "the \"ssl\" directive in %s:%ui",
 conf->file, conf->line);
 return NGX_CONF_ERROR;
 }
-if (conf->certificate_keys == NULL) {
+} else if (conf->certificates) {
-ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-"no \"ssl_certificate_key\" is defined for "
-"the \"ssl\" directive in %s:%ui",
-conf->file, conf->line);
-return NGX_CONF_ERROR;
-}
-if (conf->certificate_keys->nelts < conf->certificates->nelts) {
-ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-"no \"ssl_certificate_key\" is defined "
-"for certificate \"%V\" and "
-"the \"ssl\" directive in %s:%ui",
-((ngx_str_t *) conf->certificates->elts)
-+ conf->certificates->nelts - 1,
-conf->file, conf->line);
-return NGX_CONF_ERROR;
-}
-} else {
-if (conf->certificates == NULL) {
-return NGX_CONF_OK;
-}
 if (conf->certificate_keys == NULL
 || conf->certificate_keys->nelts < conf->certificates->nelts)
 {
 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 "for certificate \"%V\"",
 ((ngx_str_t *) conf->certificates->elts)
 + conf->certificates->nelts - 1);
 return NGX_CONF_ERROR;
 }
+} else if (!conf->reject_handshake) {
+return NGX_CONF_OK;
 }
 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
 "\"ssl_certificate\" and \"ssl_certificate_key\" "
 "directives are not supported on this platform");
 return NGX_CONF_ERROR;
 #endif
-} else {
+} else if (conf->certificates) {
 /* configure certificates */
 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
 conf->certificate_keys, conf->passwords)
 }
 }
 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
+return NGX_CONF_ERROR;
+}
+if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
 return NGX_CONF_OK;
 }
 ngx_str_t                         *cert, *key;
 ngx_uint_t                         i, nelts;
 ngx_http_complex_value_t          *cv;
 ngx_http_compile_complex_value_t   ccv;
+if (conf->certificates == NULL) {
+return NGX_OK;
+}
 cert = conf->certificates->elts;
 key = conf->certificate_keys->elts;
 nelts = conf->certificates->nelts;
 for (i = 0; i < nelts; i++) {
 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
 "invalid OCSP cache \"%V\"", &value[1]);
 return NGX_CONF_ERROR;
+}
+static char *
+ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+return "is not supported on this platform";
+#endif
+return NGX_CONF_OK;
 }
 static ngx_int_t
 ngx_http_ssl_init(ngx_conf_t *cf)
 }
 cscf = addr[a].default_server;
 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
-if (sscf->certificates == NULL) {
+if (sscf->certificates) {
+continue;
+}
+if (!sscf->reject_handshake) {
+ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+"no \"ssl_certificate\" is defined for "
+"the \"listen ... ssl\" directive in %s:%ui",
+cscf->file_name, cscf->line);
+return NGX_ERROR;
+}
+/*
+* if no certificates are defined in the default server,
+* check all non-default server blocks
+*/
+cscfp = addr[a].servers.elts;
+for (s = 0; s < addr[a].servers.nelts; s++) {
+cscf = cscfp[s];
+sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
+if (sscf->certificates || sscf->reject_handshake) {
+continue;
+}
 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 "no \"ssl_certificate\" is defined for "
 "the \"listen ... %s\" directive in %s:%ui",
 name, cscf->file_name, cscf->line);
 return NGX_ERROR;

Mercurial > hg > nginx-quic

comparison src/http/modules/ngx_http_ssl_module.c @ 8188:71b7453fb11f quic