Mercurial > hg > nginx-vendor-0-8
comparison src/http/modules/ngx_http_ssl_module.c @ 96:ca4f70b3ccc6 NGINX_0_2_2
nginx 0.2.2
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
| author | Igor Sysoev <http://sysoev.ru> |
|---|---|
| date | Fri, 30 Sep 2005 00:00:00 +0400 |
| parents | 45945fa8b8ba |
| children | 408f195b3482 |
comparison
equal
deleted
inserted
replaced
| 95:2f95911bc4b4 | 96:ca4f70b3ccc6 |
|---|---|
| 6 | 6 |
| 7 #include <ngx_config.h> | 7 #include <ngx_config.h> |
| 8 #include <ngx_core.h> | 8 #include <ngx_core.h> |
| 9 #include <ngx_http.h> | 9 #include <ngx_http.h> |
| 10 | 10 |
| 11 | |
| 12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" | 11 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" |
| 13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 12 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
| 13 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | |
| 14 | 14 |
| 15 | 15 |
| 16 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); | 16 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
| 17 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, | 17 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
| 18 void *parent, void *child); | 18 void *parent, void *child); |
| 19 | 19 |
| 20 | 20 |
| 21 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | |
| 22 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
| 23 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 24 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
| 25 { ngx_null_string, 0 } | |
| 26 }; | |
| 27 | |
| 28 | |
| 21 static ngx_command_t ngx_http_ssl_commands[] = { | 29 static ngx_command_t ngx_http_ssl_commands[] = { |
| 22 | 30 |
| 23 { ngx_string("ssl"), | 31 { ngx_string("ssl"), |
| 24 NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 32 NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 25 ngx_conf_set_flag_slot, | 33 ngx_conf_set_flag_slot, |
| 39 ngx_conf_set_str_slot, | 47 ngx_conf_set_str_slot, |
| 40 NGX_HTTP_SRV_CONF_OFFSET, | 48 NGX_HTTP_SRV_CONF_OFFSET, |
| 41 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), | 49 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
| 42 NULL }, | 50 NULL }, |
| 43 | 51 |
| 52 { ngx_string("ssl_protocols"), | |
| 53 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
| 54 ngx_conf_set_bitmask_slot, | |
| 55 NGX_HTTP_SRV_CONF_OFFSET, | |
| 56 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
| 57 &ngx_http_ssl_protocols }, | |
| 58 | |
| 44 { ngx_string("ssl_ciphers"), | 59 { ngx_string("ssl_ciphers"), |
| 45 NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 60 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
| 46 ngx_conf_set_str_slot, | 61 ngx_conf_set_str_slot, |
| 47 NGX_HTTP_SRV_CONF_OFFSET, | 62 NGX_HTTP_SRV_CONF_OFFSET, |
| 48 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | 63 offsetof(ngx_http_ssl_srv_conf_t, ciphers), |
| 64 NULL }, | |
| 65 | |
| 66 { ngx_string("ssl_prefer_server_ciphers"), | |
| 67 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
| 68 ngx_conf_set_flag_slot, | |
| 69 NGX_HTTP_SRV_CONF_OFFSET, | |
| 70 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
| 49 NULL }, | 71 NULL }, |
| 50 | 72 |
| 51 ngx_null_command | 73 ngx_null_command |
| 52 }; | 74 }; |
| 53 | 75 |
| 97 } | 119 } |
| 98 | 120 |
| 99 /* | 121 /* |
| 100 * set by ngx_pcalloc(): | 122 * set by ngx_pcalloc(): |
| 101 * | 123 * |
| 124 * scf->protocols = 0; | |
| 125 | |
| 102 * scf->certificate.len = 0; | 126 * scf->certificate.len = 0; |
| 103 * scf->certificate.data = NULL; | 127 * scf->certificate.data = NULL; |
| 104 * scf->certificate_key.len = 0; | 128 * scf->certificate_key.len = 0; |
| 105 * scf->certificate_key.data = NULL; | 129 * scf->certificate_key.data = NULL; |
| 106 * scf->ciphers.len = 0; | 130 * scf->ciphers.len = 0; |
| 107 * scf->ciphers.data = NULL; | 131 * scf->ciphers.data = NULL; |
| 108 */ | 132 */ |
| 109 | 133 |
| 110 scf->enable = NGX_CONF_UNSET; | 134 scf->enable = NGX_CONF_UNSET; |
| 135 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
| 111 | 136 |
| 112 return scf; | 137 return scf; |
| 113 } | 138 } |
| 114 | 139 |
| 115 | 140 |
| 123 | 148 |
| 124 if (conf->enable == 0) { | 149 if (conf->enable == 0) { |
| 125 return NGX_CONF_OK; | 150 return NGX_CONF_OK; |
| 126 } | 151 } |
| 127 | 152 |
| 153 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
| 154 prev->prefer_server_ciphers, 0); | |
| 155 | |
| 156 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
| 157 (NGX_CONF_BITMASK_SET | |
| 158 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
| 159 | |
| 128 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 160 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
| 129 NGX_DEFLAUT_CERTIFICATE); | 161 NGX_DEFLAUT_CERTIFICATE); |
| 130 | 162 |
| 131 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 163 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
| 132 NGX_DEFLAUT_CERTIFICATE_KEY); | 164 NGX_DEFLAUT_CERTIFICATE_KEY); |
| 133 | 165 |
| 134 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); | 166 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
| 135 | 167 |
| 136 | 168 |
| 137 /* TODO: configure methods */ | 169 conf->ssl.log = cf->log; |
| 138 | 170 |
| 139 conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); | 171 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { |
| 140 | 172 return NGX_CONF_ERROR; |
| 141 if (conf->ssl_ctx == NULL) { | 173 } |
| 142 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); | 174 |
| 143 return NGX_CONF_ERROR; | 175 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) |
| 144 } | |
| 145 | |
| 146 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) | |
| 147 == NULL) | |
| 148 { | 176 { |
| 149 return NGX_CONF_ERROR; | 177 return NGX_CONF_ERROR; |
| 150 } | 178 } |
| 151 | 179 |
| 152 | 180 if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, |
| 153 if (conf->ciphers.len) { | 181 conf->certificate_key.data) != NGX_OK) |
| 154 if (SSL_CTX_set_cipher_list(conf->ssl_ctx, | 182 { |
| 155 (const char *) conf->ciphers.data) == 0) | 183 return NGX_CONF_ERROR; |
| 156 { | 184 } |
| 157 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 185 |
| 158 "SSL_CTX_set_cipher_list(\"%V\") failed", | 186 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
| 159 &conf->ciphers); | 187 (const char *) conf->ciphers.data) == 0) |
| 160 } | |
| 161 } | |
| 162 | |
| 163 if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, | |
| 164 (char *) conf->certificate.data) == 0) | |
| 165 { | 188 { |
| 166 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 189 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
| 167 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", | 190 "SSL_CTX_set_cipher_list(\"%V\") failed", |
| 168 conf->certificate.data); | 191 &conf->ciphers); |
| 169 return NGX_CONF_ERROR; | 192 } |
| 170 } | 193 |
| 171 | 194 if (conf->prefer_server_ciphers) { |
| 172 if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, | 195 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 173 (char *) conf->certificate_key.data, | 196 } |
| 174 SSL_FILETYPE_PEM) == 0) | 197 |
| 175 { | 198 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
| 176 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 199 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
| 177 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", | 200 return NGX_CONF_ERROR; |
| 178 conf->certificate_key.data); | 201 } |
| 179 return NGX_CONF_ERROR; | 202 |
| 180 } | 203 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); |
| 181 | 204 |
| 182 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); | 205 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, |
| 183 | |
| 184 SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
| 185 | |
| 186 SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); | |
| 187 | |
| 188 SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); | |
| 189 | |
| 190 SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx, | |
| 191 sizeof(ngx_http_session_id_ctx) - 1); | 206 sizeof(ngx_http_session_id_ctx) - 1); |
| 192 | 207 |
| 193 return NGX_CONF_OK; | 208 return NGX_CONF_OK; |
| 194 } | 209 } |
| 195 | |
| 196 | |
| 197 #if 0 | |
| 198 | |
| 199 /* how to enumrate server' configs */ | |
| 200 | |
| 201 static ngx_int_t | |
| 202 ngx_http_ssl_init_process(ngx_cycle_t *cycle) | |
| 203 { | |
| 204 ngx_uint_t i; | |
| 205 ngx_http_ssl_srv_conf_t *sscf; | |
| 206 ngx_http_core_srv_conf_t **cscfp; | |
| 207 ngx_http_core_main_conf_t *cmcf; | |
| 208 | |
| 209 cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); | |
| 210 | |
| 211 cscfp = cmcf->servers.elts; | |
| 212 | |
| 213 for (i = 0; i < cmcf->servers.nelts; i++) { | |
| 214 sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
| 215 | |
| 216 if (sscf->enable) { | |
| 217 cscfp[i]->recv = ngx_ssl_recv; | |
| 218 cscfp[i]->send_chain = ngx_ssl_send_chain; | |
| 219 } | |
| 220 } | |
| 221 | |
| 222 return NGX_OK; | |
| 223 } | |
| 224 | |
| 225 #endif |