changeset 380:bc21d9cd9c54 NGINX_0_7_2

nginx 0.7.2 *) Feature: now nginx supports EDH key exchange ciphers. *) Feature: the "ssl_dhparam" directive. *) Feature: the $ssl_client_cert variable. Thanks to Manlio Perillo. *) Bugfix: after changing URI via a "rewrite" directive nginx did not search a new location; bug appeared in 0.7.1. Thanks to Maxim Dounin. *) Bugfix: nginx could not be built without PCRE library; bug appeared in 0.7.1. *) Bugfix: when a request to a directory was redirected with the slash added, nginx dropped a query string from the original request.
author Igor Sysoev <http://sysoev.ru>
date Mon, 16 Jun 2008 00:00:00 +0400
parents 9d9dad60269f
children 23d1555141d9
files CHANGES CHANGES.ru src/core/nginx.h src/core/ngx_palloc.c src/core/ngx_palloc.h src/core/ngx_regex.c src/event/ngx_event_openssl.c src/event/ngx_event_openssl.h src/http/modules/ngx_http_log_module.c src/http/modules/ngx_http_ssi_filter_module.c src/http/modules/ngx_http_ssl_module.c src/http/modules/ngx_http_ssl_module.h src/http/modules/ngx_http_static_module.c src/http/modules/perl/nginx.pm src/http/ngx_http.c src/http/ngx_http_core_module.c src/http/ngx_http_special_response.c src/mail/ngx_mail_ssl_module.c src/mail/ngx_mail_ssl_module.h
diffstat 19 files changed, 271 insertions(+), 34 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,24 @@
 
+Changes with nginx 0.7.2                                         16 Jun 2008
+
+    *) Feature: now nginx supports EDH key exchange ciphers.
+
+    *) Feature: the "ssl_dhparam" directive.
+
+    *) Feature: the $ssl_client_cert variable.
+       Thanks to Manlio Perillo.
+
+    *) Bugfix: after changing URI via a "rewrite" directive nginx did not 
+       search a new location; bug appeared in 0.7.1.
+       Thanks to Maxim Dounin.
+
+    *) Bugfix: nginx could not be built without PCRE library; bug appeared 
+       in 0.7.1.
+
+    *) Bugfix: when a request to a directory was redirected with the slash 
+       added, nginx dropped a query string from the original request.
+
+
 Changes with nginx 0.7.1                                         26 May 2008
 
     *) Change: now locations are searched in a tree.
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,24 @@
 
+Изменения в nginx 0.7.2                                           16.06.2008
+
+    *) Добавление: теперь nginx поддерживает шифры с обменом EDH-ключами.
+
+    *) Добавление: директива ssl_dhparam.
+
+    *) Добавление: переменная $ssl_client_cert.
+       Спасибо Manlio Perillo.
+
+    *) Исправление: после изменения URI с помощью директивы rewrite nginx 
+       не искал новый location; ошибка появилась в 0.7.1.
+       Спасибо Максиму Дунину.
+
+    *) Исправление: nginx не собирался без библиотеки PCRE; ошибка 
+       появилась в 0.7.1.
+
+    *) Исправление: при редиректе запроса к каталогу с добавлением слэша 
+       nginx не добавлял аргументы из оригинального запроса.
+
+
 Изменения в nginx 0.7.1                                           26.05.2008
 
     *) Изменение: теперь поиск location'а делается с помощью дерева.
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -8,7 +8,7 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define NGINX_VERSION      "0.7.1"
+#define NGINX_VERSION      "0.7.2"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
--- a/src/core/ngx_palloc.c
+++ b/src/core/ngx_palloc.c
@@ -99,8 +99,6 @@ ngx_palloc(ngx_pool_t *pool, size_t size
 
         for ( ;; ) {
 
-#if (NGX_HAVE_NONALIGNED)
-
             /*
              * allow non-aligned memory blocks for small allocations (1, 2,
              * or 3 bytes) and for odd length strings (struct's have aligned
@@ -110,10 +108,7 @@ ngx_palloc(ngx_pool_t *pool, size_t size
             if (size < sizeof(int) || (size & 1)) {
                 m = p->last;
 
-            } else
-#endif
-
-            {
+            } else {
                 m = ngx_align_ptr(p->last, NGX_ALIGNMENT);
             }
 
@@ -177,6 +172,17 @@ ngx_palloc(ngx_pool_t *pool, size_t size
 }
 
 
+void *
+ngx_palloc_aligned(ngx_pool_t *pool, size_t size)
+{
+    if (size & 1) {
+        size++;
+    }
+
+    return ngx_palloc(pool, size);
+}
+
+
 ngx_int_t
 ngx_pfree(ngx_pool_t *pool, void *p)
 {
--- a/src/core/ngx_palloc.h
+++ b/src/core/ngx_palloc.h
@@ -69,6 +69,7 @@ ngx_pool_t *ngx_create_pool(size_t size,
 void ngx_destroy_pool(ngx_pool_t *pool);
 
 void *ngx_palloc(ngx_pool_t *pool, size_t size);
+void *ngx_palloc_aligned(ngx_pool_t *pool, size_t size);
 void *ngx_pcalloc(ngx_pool_t *pool, size_t size);
 ngx_int_t ngx_pfree(ngx_pool_t *pool, void *p);
 
--- a/src/core/ngx_regex.c
+++ b/src/core/ngx_regex.c
@@ -165,7 +165,7 @@ ngx_regex_malloc(size_t size)
 #endif
 
     if (pool) {
-        return ngx_palloc(pool, size);
+        return ngx_palloc_aligned(pool, size);
     }
 
     return NULL;
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -182,6 +182,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 #endif
 
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
 
     if (ngx_ssl_protocols[protocols >> 1] != 0) {
         SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
@@ -352,6 +353,89 @@ ngx_ssl_generate_rsa512_key(ngx_ssl_t *s
 
 
 ngx_int_t
+ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+    DH   *dh;
+    BIO  *bio;
+
+    /*
+     * -----BEGIN DH PARAMETERS-----
+     * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
+     * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
+     * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
+     * -----END DH PARAMETERS-----
+     */
+
+    static unsigned char dh1024_p[] = {
+        0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
+        0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
+        0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
+        0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
+        0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
+        0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
+        0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
+        0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
+        0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
+        0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
+        0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
+    };
+
+    static unsigned char dh1024_g[] = { 0x02 };
+
+
+    if (file->len == 0) {
+
+        dh = DH_new();
+        if (dh == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
+            return NGX_ERROR;
+        }
+
+        dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+        dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+
+        if (dh->p == NULL || dh->g == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
+            DH_free(dh);
+            return NGX_ERROR;
+        }
+
+        SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+        DH_free(dh);
+
+        return NGX_OK;
+    }
+
+    if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    bio = BIO_new_file((char *) file->data, "r");
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "BIO_new_file(\"%s\") failed", file->data);
+        return NGX_ERROR;
+    }
+
+    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    if (dh == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "PEM_read_bio_DHparams(\"%s\") failed", file->data);
+        BIO_free(bio);
+        return NGX_ERROR;
+    }
+
+    SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+    DH_free(dh);
+    BIO_free(bio);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 {
     ngx_ssl_connection_t  *sc;
@@ -1795,6 +1879,56 @@ ngx_ssl_get_cipher_name(ngx_connection_t
 
 
 ngx_int_t
+ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    BIO     *bio;
+    X509    *cert;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    if (PEM_write_bio_X509(bio, cert) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
+        goto failed;
+    }
+
+    len = BIO_pending(bio);
+    s->len = len;
+
+    s->data = ngx_palloc(pool, len);
+    if (s->data == NULL) {
+        goto failed;
+    }
+
+    BIO_read(bio, s->data, len);
+
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+
+failed:
+
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     char       *p;
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -101,6 +101,7 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t
 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
+ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
@@ -120,6 +121,8 @@ ngx_int_t ngx_ssl_get_protocol(ngx_conne
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
--- a/src/http/modules/ngx_http_log_module.c
+++ b/src/http/modules/ngx_http_log_module.c
@@ -797,7 +797,10 @@ ngx_http_log_set_format(ngx_conf_t *cf, 
         if (fmt[i].name.len == value[1].len
             && ngx_strcmp(fmt[i].name.data, value[1].data) == 0)
         {
-            return "duplicate \"log_format\" name";
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "duplicate \"log_format\" name \"%V\"",
+                               &value[1]);
+            return NGX_CONF_ERROR;
         }
     }
 
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -100,7 +100,7 @@ static ngx_int_t ngx_http_ssi_endblock(n
     ngx_http_ssi_ctx_t *ctx, ngx_str_t **params);
 
 static ngx_int_t ngx_http_ssi_date_gmt_local_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v,  uintptr_t gmt);
+    ngx_http_variable_value_t *v, uintptr_t gmt);
 
 static char *ngx_http_ssi_types(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 
@@ -2647,7 +2647,7 @@ ngx_http_ssi_endblock(ngx_http_request_t
 
 static ngx_int_t
 ngx_http_ssi_date_gmt_local_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v,  uintptr_t gmt)
+    ngx_http_variable_value_t *v, uintptr_t gmt)
 {
     ngx_http_ssi_ctx_t  *ctx;
     ngx_time_t          *tp;
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -72,6 +72,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
       NULL },
 
+    { ngx_string("ssl_dhparam"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, dhparam),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -175,6 +182,9 @@ static ngx_http_variable_t  ngx_http_ssl
     { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
       (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
@@ -287,12 +297,10 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
      * set by ngx_pcalloc():
      *
      *     sscf->protocols = 0;
-     *     sscf->certificate.len = 0;
-     *     sscf->certificate.data = NULL;
-     *     sscf->certificate_key.len = 0;
-     *     sscf->certificate_key.data = NULL;
-     *     sscf->client_certificate.len = 0;
-     *     sscf->client_certificate.data = NULL;
+     *     sscf->certificate = { 0, NULL };
+     *     sscf->certificate_key = { 0, NULL };
+     *     sscf->dhparam = { 0, NULL };
+     *     sscf->client_certificate = { 0, NULL };
      *     sscf->ciphers.len = 0;
      *     sscf->ciphers.data = NULL;
      *     sscf->shm_zone = NULL;
@@ -342,6 +350,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
                          NGX_DEFLAUT_CERTIFICATE_KEY);
 
+    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
                          "");
 
@@ -414,6 +424,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         return NGX_CONF_ERROR;
     }
 
+    if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     ngx_conf_merge_value(conf->builtin_session_cache,
                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
 
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -31,6 +31,7 @@ typedef struct {
 
     ngx_str_t                       certificate;
     ngx_str_t                       certificate_key;
+    ngx_str_t                       dhparam;
     ngx_str_t                       client_certificate;
 
     ngx_str_t                       ciphers;
--- a/src/http/modules/ngx_http_static_module.c
+++ b/src/http/modules/ngx_http_static_module.c
@@ -48,7 +48,7 @@ static ngx_int_t
 ngx_http_static_handler(ngx_http_request_t *r)
 {
     u_char                    *last, *location;
-    size_t                     root;
+    size_t                     root, len;
     ngx_str_t                  path;
     ngx_int_t                  rc;
     ngx_uint_t                 level;
@@ -150,26 +150,39 @@ ngx_http_static_handler(ngx_http_request
             return NGX_HTTP_INTERNAL_SERVER_ERROR;
         }
 
-        if (!clcf->alias && clcf->root_lengths == NULL) {
+        len = r->uri.len + 1;
+
+        if (!clcf->alias && clcf->root_lengths == NULL && r->args.len == 0) {
             location = path.data + clcf->root.len;
 
+            *last = '/';
+
         } else {
-            location = ngx_palloc(r->pool, r->uri.len + 1);
+            if (r->args.len) {
+                len += r->args.len + 1;
+            }
+
+            location = ngx_palloc(r->pool, len);
             if (location == NULL) {
                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
             }
 
             last = ngx_copy(location, r->uri.data, r->uri.len);
-        }
+
+            *last = '/';
 
-        *last = '/';
+            if (r->args.len) {
+                *++last = '?';
+                ngx_memcpy(++last, r->args.data, r->args.len);
+            }
+        }
 
         /*
          * we do not need to set the r->headers_out.location->hash and
          * r->headers_out.location->key fields
          */
 
-        r->headers_out.location->value.len = r->uri.len + 1;
+        r->headers_out.location->value.len = len;
         r->headers_out.location->value.data = location;
 
         return NGX_HTTP_MOVED_PERMANENTLY;
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -47,7 +47,7 @@ our @EXPORT = qw(
     HTTP_INSUFFICIENT_STORAGE
 );
 
-our $VERSION = '0.7.1';
+our $VERSION = '0.7.2';
 
 require XSLoader;
 XSLoader::load('nginx', $VERSION);
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -1024,12 +1024,15 @@ ngx_http_create_locations_tree(ngx_conf_
     lq = (ngx_http_location_queue_t *) q;
     len = lq->name->len - prefix;
 
-    node = ngx_pcalloc(cf->pool,
-                       offsetof(ngx_http_location_tree_node_t, name) + len);
+    node = ngx_palloc_aligned(cf->pool,
+                          offsetof(ngx_http_location_tree_node_t, name) + len);
     if (node == NULL) {
         return NULL;
     }
 
+    node->left = NULL;
+    node->right = NULL;
+    node->tree = NULL;
     node->exact = lq->exact;
     node->inclusive = lq->inclusive;
 
@@ -1297,14 +1300,14 @@ ngx_http_optimize_servers(ngx_conf_t *cf
     ngx_array_t *in_ports)
 {
     ngx_int_t                  rc;
-    ngx_uint_t                 s, p, a, i;
+    ngx_uint_t                 s, p, a;
     ngx_hash_init_t            hash;
     ngx_http_server_name_t    *name;
     ngx_hash_keys_arrays_t     ha;
     ngx_http_conf_in_port_t   *in_port;
     ngx_http_conf_in_addr_t   *in_addr;
 #if (NGX_PCRE)
-    ngx_uint_t                 regex;
+    ngx_uint_t                 regex, i;
 #endif
 
     in_port = in_ports->elts;
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -860,6 +860,8 @@ ngx_int_t
 ngx_http_core_post_rewrite_phase(ngx_http_request_t *r,
     ngx_http_phase_handler_t *ph)
 {
+    ngx_http_core_srv_conf_t  *cscf;
+
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "post rewrite phase: %ui", r->phase_handler);
 
@@ -891,6 +893,9 @@ ngx_http_core_post_rewrite_phase(ngx_htt
 
     r->phase_handler = ph->next;
 
+    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+    r->loc_conf = cscf->ctx->loc_conf;
+
     return NGX_AGAIN;
 }
 
--- a/src/http/ngx_http_special_response.c
+++ b/src/http/ngx_http_special_response.c
@@ -332,8 +332,9 @@ ngx_http_special_response_handler(ngx_ht
     ngx_http_err_page_t       *err_page;
     ngx_http_core_loc_conf_t  *clcf;
 
-    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
-                   "http special response: %d, \"%V\"", error, &r->uri);
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                   "http special response: %d, \"%V?%V\"",
+                   error, &r->uri, &r->args);
 
     rc = ngx_http_discard_request_body(r);
 
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -76,6 +76,13 @@ static ngx_command_t  ngx_mail_ssl_comma
       offsetof(ngx_mail_ssl_conf_t, certificate_key),
       NULL },
 
+    { ngx_string("ssl_dhparam"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, dhparam),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -163,10 +170,9 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
      * set by ngx_pcalloc():
      *
      *     scf->protocols = 0;
-     *     scf->certificate.len = 0;
-     *     scf->certificate.data = NULL;
-     *     scf->certificate_key.len = 0;
-     *     scf->certificate_key.data = NULL;
+     *     scf->certificate = { 0, NULL };
+     *     scf->certificate_key = { 0, NULL };
+     *     scf->dhparam = { 0, NULL };
      *     scf->ciphers.len = 0;
      *     scf->ciphers.data = NULL;
      *     scf->shm_zone = NULL;
@@ -213,6 +219,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
                          NGX_DEFLAUT_CERTIFICATE_KEY);
 
+    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
 
 
@@ -260,6 +268,10 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
         return NGX_CONF_ERROR;
     }
 
+    if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     ngx_conf_merge_value(conf->builtin_session_cache,
                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
 
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -34,6 +34,7 @@ typedef struct {
 
     ngx_str_t        certificate;
     ngx_str_t        certificate_key;
+    ngx_str_t        dhparam;
 
     ngx_str_t        ciphers;