Mercurial > hg > nginx-vendor-0-8

comparison src/imap/ngx_imap_ssl_module.c @ 96:ca4f70b3ccc6 NGINX_0_2_2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.2.2 *) Feature: the "config errmsg" command of the ngx_http_ssi_module. *) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. *) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. *) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; *) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. *) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
author Igor Sysoev <http://sysoev.ru>
date Fri, 30 Sep 2005 00:00:00 +0400
parents 45945fa8b8ba
children 408f195b3482
comparison
equal deleted inserted replaced
95:2f95911bc4b4 96:ca4f70b3ccc6
9 #include <ngx_imap.h> 9 #include <ngx_imap.h>
10 10
11 11
12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" 12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem"
13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" 13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem"
14 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
14 15
15 16
16 static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf); 17 static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf);
17 static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); 18 static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
19
20
21 static ngx_conf_bitmask_t ngx_imap_ssl_protocols[] = {
22 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
23 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
24 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
25 { ngx_null_string, 0 }
26 };
18 27
19 28
20 static ngx_command_t ngx_imap_ssl_commands[] = { 29 static ngx_command_t ngx_imap_ssl_commands[] = {
21 30
22 { ngx_string("ssl"), 31 { ngx_string("ssl"),
38 ngx_conf_set_str_slot, 47 ngx_conf_set_str_slot,
39 NGX_IMAP_SRV_CONF_OFFSET, 48 NGX_IMAP_SRV_CONF_OFFSET,
40 offsetof(ngx_imap_ssl_conf_t, certificate_key), 49 offsetof(ngx_imap_ssl_conf_t, certificate_key),
41 NULL }, 50 NULL },
42 51
52 { ngx_string("ssl_protocols"),
53 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1,
54 ngx_conf_set_bitmask_slot,
55 NGX_IMAP_SRV_CONF_OFFSET,
56 offsetof(ngx_imap_ssl_conf_t, protocols),
57 &ngx_imap_ssl_protocols },
58
43 { ngx_string("ssl_ciphers"), 59 { ngx_string("ssl_ciphers"),
44 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, 60 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1,
45 ngx_conf_set_str_slot, 61 ngx_conf_set_str_slot,
46 NGX_IMAP_SRV_CONF_OFFSET, 62 NGX_IMAP_SRV_CONF_OFFSET,
47 offsetof(ngx_imap_ssl_conf_t, ciphers), 63 offsetof(ngx_imap_ssl_conf_t, ciphers),
64 NULL },
65
66 { ngx_string("ssl_prefer_server_ciphers"),
67 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_FLAG,
68 ngx_conf_set_flag_slot,
69 NGX_IMAP_SRV_CONF_OFFSET,
70 offsetof(ngx_imap_ssl_conf_t, prefer_server_ciphers),
48 NULL }, 71 NULL },
49 72
50 ngx_null_command 73 ngx_null_command
51 }; 74 };
52 75
90 } 113 }
91 114
92 /* 115 /*
93 * set by ngx_pcalloc(): 116 * set by ngx_pcalloc():
94 * 117 *
118 * scf->protocols = 0;
119 *
95 * scf->certificate.len = 0; 120 * scf->certificate.len = 0;
96 * scf->certificate.data = NULL; 121 * scf->certificate.data = NULL;
97 * scf->certificate_key.len = 0; 122 * scf->certificate_key.len = 0;
98 * scf->certificate_key.data = NULL; 123 * scf->certificate_key.data = NULL;
99 * scf->ciphers.len = 0; 124 * scf->ciphers.len = 0;
100 * scf->ciphers.data = NULL; 125 * scf->ciphers.data = NULL;
101 */ 126 */
102 127
103 scf->enable = NGX_CONF_UNSET; 128 scf->enable = NGX_CONF_UNSET;
129 scf->prefer_server_ciphers = NGX_CONF_UNSET;
104 130
105 return scf; 131 return scf;
106 } 132 }
107 133
108 134
116 142
117 if (conf->enable == 0) { 143 if (conf->enable == 0) {
118 return NGX_CONF_OK; 144 return NGX_CONF_OK;
119 } 145 }
120 146
147 ngx_conf_merge_value(conf->prefer_server_ciphers,
148 prev->prefer_server_ciphers, 0);
149
150 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
151 (NGX_CONF_BITMASK_SET
152 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
153
121 ngx_conf_merge_str_value(conf->certificate, prev->certificate, 154 ngx_conf_merge_str_value(conf->certificate, prev->certificate,
122 NGX_DEFLAUT_CERTIFICATE); 155 NGX_DEFLAUT_CERTIFICATE);
123 156
124 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, 157 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
125 NGX_DEFLAUT_CERTIFICATE_KEY); 158 NGX_DEFLAUT_CERTIFICATE_KEY);
126 159
127 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); 160 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
128 161
129 162
130 /* TODO: configure methods */ 163 conf->ssl.log = cf->log;
131 164
132 conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); 165 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) {
133 166 return NGX_CONF_ERROR;
134 if (conf->ssl_ctx == NULL) { 167 }
135 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); 168
136 return NGX_CONF_ERROR; 169 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL)
137 }
138
139 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx)
140 == NULL)
141 { 170 {
142 return NGX_CONF_ERROR; 171 return NGX_CONF_ERROR;
143 } 172 }
144 173
145 174 if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data,
146 #if 0 175 conf->certificate_key.data) != NGX_OK)
147 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); 176 {
148 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_NO_SSLv3); 177 return NGX_CONF_ERROR;
149 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_SINGLE_DH_USE); 178 }
150 #endif
151 179
152 if (conf->ciphers.len) { 180 if (conf->ciphers.len) {
153 if (SSL_CTX_set_cipher_list(conf->ssl_ctx, 181 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
154 (const char *) conf->ciphers.data) == 0) 182 (const char *) conf->ciphers.data) == 0)
155 { 183 {
156 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, 184 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
157 "SSL_CTX_set_cipher_list(\"%V\") failed", 185 "SSL_CTX_set_cipher_list(\"%V\") failed",
158 &conf->ciphers); 186 &conf->ciphers);
159 } 187 }
160 } 188 }
161 189
162 if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, 190 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
163 (char *) conf->certificate.data) == 0) 191 return NGX_CONF_ERROR;
164 { 192 }
165 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, 193
166 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", 194 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER);
167 conf->certificate.data); 195
168 return NGX_CONF_ERROR; 196 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_imap_session_id_ctx,
169 }
170
171
172 if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx,
173 (char *) conf->certificate_key.data,
174 SSL_FILETYPE_PEM) == 0)
175 {
176 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
177 "SSL_CTX_use_PrivateKey_file(\"%s\") failed",
178 conf->certificate_key.data);
179 return NGX_CONF_ERROR;
180 }
181
182 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL);
183
184 SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
185
186 SSL_CTX_set_read_ahead(conf->ssl_ctx, 1);
187
188 SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER);
189
190 SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_imap_session_id_ctx,
191 sizeof(ngx_imap_session_id_ctx) - 1); 197 sizeof(ngx_imap_session_id_ctx) - 1);
192 198
193 return NGX_CONF_OK; 199 return NGX_CONF_OK;
194 } 200 }