Mercurial > hg > nginx-quic
comparison src/mail/ngx_mail_ssl_module.c @ 7269:7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.
In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 24 Apr 2018 15:29:01 +0300 |
| parents | 0d8c72ff62dd |
| children | 46c0c7ef4913 |
comparison
equal
deleted
inserted
replaced
| 7268:0d8c72ff62dd | 7269:7f955d3b9a0d |
|---|---|
| 236 } | 236 } |
| 237 | 237 |
| 238 /* | 238 /* |
| 239 * set by ngx_pcalloc(): | 239 * set by ngx_pcalloc(): |
| 240 * | 240 * |
| 241 * scf->listen = 0; | |
| 241 * scf->protocols = 0; | 242 * scf->protocols = 0; |
| 242 * scf->dhparam = { 0, NULL }; | 243 * scf->dhparam = { 0, NULL }; |
| 243 * scf->ecdh_curve = { 0, NULL }; | 244 * scf->ecdh_curve = { 0, NULL }; |
| 244 * scf->client_certificate = { 0, NULL }; | 245 * scf->client_certificate = { 0, NULL }; |
| 245 * scf->trusted_certificate = { 0, NULL }; | 246 * scf->trusted_certificate = { 0, NULL }; |
| 311 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 312 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 312 | 313 |
| 313 | 314 |
| 314 conf->ssl.log = cf->log; | 315 conf->ssl.log = cf->log; |
| 315 | 316 |
| 316 if (conf->enable) { | 317 if (conf->listen) { |
| 318 mode = "listen ... ssl"; | |
| 319 | |
| 320 } else if (conf->enable) { | |
| 317 mode = "ssl"; | 321 mode = "ssl"; |
| 318 | 322 |
| 319 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | 323 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { |
| 320 mode = "starttls"; | 324 mode = "starttls"; |
| 321 | 325 |
| 322 } else { | 326 } else { |
| 323 mode = ""; | 327 return NGX_CONF_OK; |
| 324 } | 328 } |
| 325 | 329 |
| 326 if (conf->file == NULL) { | 330 if (conf->file == NULL) { |
| 327 conf->file = prev->file; | 331 conf->file = prev->file; |
| 328 conf->line = prev->line; | 332 conf->line = prev->line; |
| 329 } | 333 } |
| 330 | 334 |
| 331 if (*mode) { | 335 if (conf->certificates == NULL) { |
| 332 | 336 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 333 if (conf->certificates == NULL) { | 337 "no \"ssl_certificate\" is defined for " |
| 334 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 338 "the \"%s\" directive in %s:%ui", |
| 335 "no \"ssl_certificate\" is defined for " | 339 mode, conf->file, conf->line); |
| 336 "the \"%s\" directive in %s:%ui", | 340 return NGX_CONF_ERROR; |
| 337 mode, conf->file, conf->line); | 341 } |
| 338 return NGX_CONF_ERROR; | 342 |
| 339 } | 343 if (conf->certificate_keys == NULL) { |
| 340 | 344 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 341 if (conf->certificate_keys == NULL) { | 345 "no \"ssl_certificate_key\" is defined for " |
| 342 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 346 "the \"%s\" directive in %s:%ui", |
| 343 "no \"ssl_certificate_key\" is defined for " | 347 mode, conf->file, conf->line); |
| 344 "the \"%s\" directive in %s:%ui", | 348 return NGX_CONF_ERROR; |
| 345 mode, conf->file, conf->line); | 349 } |
| 346 return NGX_CONF_ERROR; | 350 |
| 347 } | 351 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
| 348 | 352 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 349 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | 353 "no \"ssl_certificate_key\" is defined " |
| 350 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 354 "for certificate \"%V\" and " |
| 351 "no \"ssl_certificate_key\" is defined " | 355 "the \"%s\" directive in %s:%ui", |
| 352 "for certificate \"%V\" and " | 356 ((ngx_str_t *) conf->certificates->elts) |
| 353 "the \"%s\" directive in %s:%ui", | 357 + conf->certificates->nelts - 1, |
| 354 ((ngx_str_t *) conf->certificates->elts) | 358 mode, conf->file, conf->line); |
| 355 + conf->certificates->nelts - 1, | 359 return NGX_CONF_ERROR; |
| 356 mode, conf->file, conf->line); | |
| 357 return NGX_CONF_ERROR; | |
| 358 } | |
| 359 | |
| 360 } else { | |
| 361 | |
| 362 if (conf->certificates == NULL) { | |
| 363 return NGX_CONF_OK; | |
| 364 } | |
| 365 | |
| 366 if (conf->certificate_keys == NULL | |
| 367 || conf->certificate_keys->nelts < conf->certificates->nelts) | |
| 368 { | |
| 369 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 370 "no \"ssl_certificate_key\" is defined " | |
| 371 "for certificate \"%V\"", | |
| 372 ((ngx_str_t *) conf->certificates->elts) | |
| 373 + conf->certificates->nelts - 1); | |
| 374 return NGX_CONF_ERROR; | |
| 375 } | |
| 376 } | 360 } |
| 377 | 361 |
| 378 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | 362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 379 return NGX_CONF_ERROR; | 363 return NGX_CONF_ERROR; |
| 380 } | 364 } |
| 492 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 476 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
| 493 "\"starttls\" directive conflicts with \"ssl on\""); | 477 "\"starttls\" directive conflicts with \"ssl on\""); |
| 494 return NGX_CONF_ERROR; | 478 return NGX_CONF_ERROR; |
| 495 } | 479 } |
| 496 | 480 |
| 497 scf->file = cf->conf_file->file.name.data; | 481 if (!scf->listen) { |
| 498 scf->line = cf->conf_file->line; | 482 scf->file = cf->conf_file->file.name.data; |
| 483 scf->line = cf->conf_file->line; | |
| 484 } | |
| 499 | 485 |
| 500 return NGX_CONF_OK; | 486 return NGX_CONF_OK; |
| 501 } | 487 } |
| 502 | 488 |
| 503 | 489 |
| 518 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 504 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
| 519 "\"ssl\" directive conflicts with \"starttls\""); | 505 "\"ssl\" directive conflicts with \"starttls\""); |
| 520 return NGX_CONF_ERROR; | 506 return NGX_CONF_ERROR; |
| 521 } | 507 } |
| 522 | 508 |
| 523 scf->file = cf->conf_file->file.name.data; | 509 if (!scf->listen) { |
| 524 scf->line = cf->conf_file->line; | 510 scf->file = cf->conf_file->file.name.data; |
| 511 scf->line = cf->conf_file->line; | |
| 512 } | |
| 525 | 513 |
| 526 return NGX_CONF_OK; | 514 return NGX_CONF_OK; |
| 527 } | 515 } |
| 528 | 516 |
| 529 | 517 |