nginx-vendor-0-8: src/http/modules/ngx_http_ssl

comparison src/http/modules/ngx_http_ssl_module.c @ 390:0b6053502c55 NGINX_0_7_7

nginx 0.7.7 *) Change: now the EAGAIN error returned by connect() is not considered as temporary error. *) Change: now the $ssl_client_cert variable value is a certificate with TAB character intended before each line except first one; an unchanged certificate is available in the $ssl_client_raw_cert variable. *) Feature: the "ask" parameter in the "ssl_verify_client" directive. *) Feature: byte-range processing improvements. Thanks to Maxim Dounin. *) Feature: the "directio" directive. *) Feature: MacOSX 1.5 sendfile() support. *) Bugfix: now in MacOSX and Cygwin locations are tested in case insensitive mode; however, the compare is provided by single-byte locales only. *) Bugfix: mail proxy SSL connections hanged, if select, poll, or /dev/poll methods were used. *) Bugfix: UTF-8 encoding usage in the ngx_http_autoindex_module.

author	Igor Sysoev <http://sysoev.ru>
date	Wed, 30 Jul 2008 00:00:00 +0400
parents	bc21d9cd9c54
children	a094317ba307

comparison

equal deleted inserted replaced

-:930e48a26dde
+:0b6053502c55
 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
 ngx_pool_t *pool, ngx_str_t *s);
-#define NGX_DEFLAUT_CERTIFICATE      "cert.pem"
+#define NGX_DEFAULT_CERTIFICATE      "cert.pem"
-#define NGX_DEFLAUT_CERTIFICATE_KEY  "cert.pem"
+#define NGX_DEFAULT_CERTIFICATE_KEY  "cert.pem"
-#define NGX_DEFLAUT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
+#define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
 ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
 { ngx_null_string, 0 }
 };
+static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
+{ ngx_string("off"), 0 },
+{ ngx_string("on"), 1 },
+{ ngx_string("ask"), 2 },
+{ ngx_null_string, 0 }
+};
 static ngx_command_t  ngx_http_ssl_commands[] = {
 { ngx_string("ssl"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
 ngx_conf_set_flag_slot,
 offsetof(ngx_http_ssl_srv_conf_t, ciphers),
 NULL },
 { ngx_string("ssl_verify_client"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
-ngx_conf_set_flag_slot,
+ngx_conf_set_enum_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 offsetof(ngx_http_ssl_srv_conf_t, verify),
-NULL },
+&ngx_http_ssl_verify },
 { ngx_string("ssl_verify_depth"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
 ngx_conf_set_num_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
+{ ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
+(uintptr_t) ngx_ssl_get_raw_certificate,
+NGX_HTTP_VAR_CHANGEABLE, 0 },
 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
 *     sscf->ciphers.data = NULL;
 *     sscf->shm_zone = NULL;
 */
 sscf->enable = NGX_CONF_UNSET;
+sscf->prefer_server_ciphers = NGX_CONF_UNSET;
 sscf->verify = NGX_CONF_UNSET;
 sscf->verify_depth = NGX_CONF_UNSET;
-sscf->prefer_server_ciphers = NGX_CONF_UNSET;
 sscf->builtin_session_cache = NGX_CONF_UNSET;
 sscf->session_timeout = NGX_CONF_UNSET;
 return sscf;
 }
 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 (NGX_CONF_BITMASK_SET
 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
-ngx_conf_merge_value(conf->verify, prev->verify, 0);
+ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
-ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1);
+ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 ngx_conf_merge_str_value(conf->certificate, prev->certificate,
-NGX_DEFLAUT_CERTIFICATE);
+NGX_DEFAULT_CERTIFICATE);
 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
-NGX_DEFLAUT_CERTIFICATE_KEY);
+NGX_DEFAULT_CERTIFICATE_KEY);
 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
 "");
-ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
+ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 conf->ssl.log = cf->log;
 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
 "SSL_CTX_set_cipher_list(\"%V\") failed",
 &conf->ciphers);
 }
 if (conf->verify) {
+if (conf->client_certificate.len == 0) {
+ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+"no ssl_client_certificate for ssl_client_verify");
+return NGX_CONF_ERROR;
+}
 if (ngx_ssl_client_certificate(cf, &conf->ssl,
 &conf->client_certificate,
 conf->verify_depth)
 != NGX_OK)
 {

Mercurial > hg > nginx-vendor-0-8

comparison src/http/modules/ngx_http_ssl_module.c @ 390:0b6053502c55 NGINX_0_7_7