Mercurial > hg > nginx-vendor-0-8
diff src/http/modules/ngx_http_ssl_module.c @ 96:ca4f70b3ccc6 NGINX_0_2_2
nginx 0.2.2
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Fri, 30 Sep 2005 00:00:00 +0400 |
parents | 45945fa8b8ba |
children | 408f195b3482 |
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -8,9 +8,9 @@ #include <ngx_core.h> #include <ngx_http.h> - #define NGX_DEFLAUT_CERTIFICATE "cert.pem" #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" +#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); @@ -18,6 +18,14 @@ static char *ngx_http_ssl_merge_srv_conf void *parent, void *child); +static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { + { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, + { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, + { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_http_ssl_commands[] = { { ngx_string("ssl"), @@ -41,13 +49,27 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, certificate_key), NULL }, + { ngx_string("ssl_protocols"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_bitmask_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, protocols), + &ngx_http_ssl_protocols }, + { ngx_string("ssl_ciphers"), - NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, ngx_conf_set_str_slot, NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, ciphers), NULL }, + { ngx_string("ssl_prefer_server_ciphers"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), + NULL }, + ngx_null_command }; @@ -99,6 +121,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t /* * set by ngx_pcalloc(): * + * scf->protocols = 0; + * scf->certificate.len = 0; * scf->certificate.data = NULL; * scf->certificate_key.len = 0; @@ -108,6 +132,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t */ scf->enable = NGX_CONF_UNSET; + scf->prefer_server_ciphers = NGX_CONF_UNSET; return scf; } @@ -125,101 +150,60 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * return NGX_CONF_OK; } + ngx_conf_merge_value(conf->prefer_server_ciphers, + prev->prefer_server_ciphers, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, + (NGX_CONF_BITMASK_SET + |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); + ngx_conf_merge_str_value(conf->certificate, prev->certificate, - NGX_DEFLAUT_CERTIFICATE); + NGX_DEFLAUT_CERTIFICATE); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, - NGX_DEFLAUT_CERTIFICATE_KEY); + NGX_DEFLAUT_CERTIFICATE_KEY); - ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); + ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); - /* TODO: configure methods */ + conf->ssl.log = cf->log; - conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); - - if (conf->ssl_ctx == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); + if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { return NGX_CONF_ERROR; } - if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) - == NULL) + if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) { return NGX_CONF_ERROR; } - - if (conf->ciphers.len) { - if (SSL_CTX_set_cipher_list(conf->ssl_ctx, - (const char *) conf->ciphers.data) == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_set_cipher_list(\"%V\") failed", - &conf->ciphers); - } - } - - if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, - (char *) conf->certificate.data) == 0) + if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, + conf->certificate_key.data) != NGX_OK) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_certificate_chain_file(\"%s\") failed", - conf->certificate.data); return NGX_CONF_ERROR; } - if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, - (char *) conf->certificate_key.data, - SSL_FILETYPE_PEM) == 0) + if (SSL_CTX_set_cipher_list(conf->ssl.ctx, + (const char *) conf->ciphers.data) == 0) { ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", - conf->certificate_key.data); + "SSL_CTX_set_cipher_list(\"%V\") failed", + &conf->ciphers); + } + + if (conf->prefer_server_ciphers) { + SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } + + /* a temporary 512-bit RSA key is required for export versions of MSIE */ + if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { return NGX_CONF_ERROR; } - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); - - SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); - SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); - - SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); - - SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx, + SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, sizeof(ngx_http_session_id_ctx) - 1); return NGX_CONF_OK; } - - -#if 0 - -/* how to enumrate server' configs */ - -static ngx_int_t -ngx_http_ssl_init_process(ngx_cycle_t *cycle) -{ - ngx_uint_t i; - ngx_http_ssl_srv_conf_t *sscf; - ngx_http_core_srv_conf_t **cscfp; - ngx_http_core_main_conf_t *cmcf; - - cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); - - cscfp = cmcf->servers.elts; - - for (i = 0; i < cmcf->servers.nelts; i++) { - sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; - - if (sscf->enable) { - cscfp[i]->recv = ngx_ssl_recv; - cscfp[i]->send_chain = ngx_ssl_send_chain; - } - } - - return NGX_OK; -} - -#endif