Mercurial > hg > nginx-quic
comparison src/mail/ngx_mail_ssl_module.c @ 7269:7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.
In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 24 Apr 2018 15:29:01 +0300 |
parents | 0d8c72ff62dd |
children | 46c0c7ef4913 |
comparison
equal
deleted
inserted
replaced
7268:0d8c72ff62dd | 7269:7f955d3b9a0d |
---|---|
236 } | 236 } |
237 | 237 |
238 /* | 238 /* |
239 * set by ngx_pcalloc(): | 239 * set by ngx_pcalloc(): |
240 * | 240 * |
241 * scf->listen = 0; | |
241 * scf->protocols = 0; | 242 * scf->protocols = 0; |
242 * scf->dhparam = { 0, NULL }; | 243 * scf->dhparam = { 0, NULL }; |
243 * scf->ecdh_curve = { 0, NULL }; | 244 * scf->ecdh_curve = { 0, NULL }; |
244 * scf->client_certificate = { 0, NULL }; | 245 * scf->client_certificate = { 0, NULL }; |
245 * scf->trusted_certificate = { 0, NULL }; | 246 * scf->trusted_certificate = { 0, NULL }; |
311 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 312 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
312 | 313 |
313 | 314 |
314 conf->ssl.log = cf->log; | 315 conf->ssl.log = cf->log; |
315 | 316 |
316 if (conf->enable) { | 317 if (conf->listen) { |
318 mode = "listen ... ssl"; | |
319 | |
320 } else if (conf->enable) { | |
317 mode = "ssl"; | 321 mode = "ssl"; |
318 | 322 |
319 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | 323 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { |
320 mode = "starttls"; | 324 mode = "starttls"; |
321 | 325 |
322 } else { | 326 } else { |
323 mode = ""; | 327 return NGX_CONF_OK; |
324 } | 328 } |
325 | 329 |
326 if (conf->file == NULL) { | 330 if (conf->file == NULL) { |
327 conf->file = prev->file; | 331 conf->file = prev->file; |
328 conf->line = prev->line; | 332 conf->line = prev->line; |
329 } | 333 } |
330 | 334 |
331 if (*mode) { | 335 if (conf->certificates == NULL) { |
332 | 336 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
333 if (conf->certificates == NULL) { | 337 "no \"ssl_certificate\" is defined for " |
334 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 338 "the \"%s\" directive in %s:%ui", |
335 "no \"ssl_certificate\" is defined for " | 339 mode, conf->file, conf->line); |
336 "the \"%s\" directive in %s:%ui", | 340 return NGX_CONF_ERROR; |
337 mode, conf->file, conf->line); | 341 } |
338 return NGX_CONF_ERROR; | 342 |
339 } | 343 if (conf->certificate_keys == NULL) { |
340 | 344 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
341 if (conf->certificate_keys == NULL) { | 345 "no \"ssl_certificate_key\" is defined for " |
342 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 346 "the \"%s\" directive in %s:%ui", |
343 "no \"ssl_certificate_key\" is defined for " | 347 mode, conf->file, conf->line); |
344 "the \"%s\" directive in %s:%ui", | 348 return NGX_CONF_ERROR; |
345 mode, conf->file, conf->line); | 349 } |
346 return NGX_CONF_ERROR; | 350 |
347 } | 351 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
348 | 352 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
349 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | 353 "no \"ssl_certificate_key\" is defined " |
350 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 354 "for certificate \"%V\" and " |
351 "no \"ssl_certificate_key\" is defined " | 355 "the \"%s\" directive in %s:%ui", |
352 "for certificate \"%V\" and " | 356 ((ngx_str_t *) conf->certificates->elts) |
353 "the \"%s\" directive in %s:%ui", | 357 + conf->certificates->nelts - 1, |
354 ((ngx_str_t *) conf->certificates->elts) | 358 mode, conf->file, conf->line); |
355 + conf->certificates->nelts - 1, | 359 return NGX_CONF_ERROR; |
356 mode, conf->file, conf->line); | |
357 return NGX_CONF_ERROR; | |
358 } | |
359 | |
360 } else { | |
361 | |
362 if (conf->certificates == NULL) { | |
363 return NGX_CONF_OK; | |
364 } | |
365 | |
366 if (conf->certificate_keys == NULL | |
367 || conf->certificate_keys->nelts < conf->certificates->nelts) | |
368 { | |
369 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
370 "no \"ssl_certificate_key\" is defined " | |
371 "for certificate \"%V\"", | |
372 ((ngx_str_t *) conf->certificates->elts) | |
373 + conf->certificates->nelts - 1); | |
374 return NGX_CONF_ERROR; | |
375 } | |
376 } | 360 } |
377 | 361 |
378 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | 362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
379 return NGX_CONF_ERROR; | 363 return NGX_CONF_ERROR; |
380 } | 364 } |
492 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 476 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
493 "\"starttls\" directive conflicts with \"ssl on\""); | 477 "\"starttls\" directive conflicts with \"ssl on\""); |
494 return NGX_CONF_ERROR; | 478 return NGX_CONF_ERROR; |
495 } | 479 } |
496 | 480 |
497 scf->file = cf->conf_file->file.name.data; | 481 if (!scf->listen) { |
498 scf->line = cf->conf_file->line; | 482 scf->file = cf->conf_file->file.name.data; |
483 scf->line = cf->conf_file->line; | |
484 } | |
499 | 485 |
500 return NGX_CONF_OK; | 486 return NGX_CONF_OK; |
501 } | 487 } |
502 | 488 |
503 | 489 |
518 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 504 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
519 "\"ssl\" directive conflicts with \"starttls\""); | 505 "\"ssl\" directive conflicts with \"starttls\""); |
520 return NGX_CONF_ERROR; | 506 return NGX_CONF_ERROR; |
521 } | 507 } |
522 | 508 |
523 scf->file = cf->conf_file->file.name.data; | 509 if (!scf->listen) { |
524 scf->line = cf->conf_file->line; | 510 scf->file = cf->conf_file->file.name.data; |
511 scf->line = cf->conf_file->line; | |
512 } | |
525 | 513 |
526 return NGX_CONF_OK; | 514 return NGX_CONF_OK; |
527 } | 515 } |
528 | 516 |
529 | 517 |