Mercurial > hg > nginx-vendor-current
comparison src/imap/ngx_imap_ssl_module.c @ 96:ca4f70b3ccc6 NGINX_0_2_2
nginx 0.2.2
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Fri, 30 Sep 2005 00:00:00 +0400 |
parents | 45945fa8b8ba |
children | 408f195b3482 |
comparison
equal
deleted
inserted
replaced
95:2f95911bc4b4 | 96:ca4f70b3ccc6 |
---|---|
9 #include <ngx_imap.h> | 9 #include <ngx_imap.h> |
10 | 10 |
11 | 11 |
12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" | 12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" |
13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
14 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | |
14 | 15 |
15 | 16 |
16 static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf); | 17 static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf); |
17 static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | 18 static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); |
19 | |
20 | |
21 static ngx_conf_bitmask_t ngx_imap_ssl_protocols[] = { | |
22 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
23 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
24 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
25 { ngx_null_string, 0 } | |
26 }; | |
18 | 27 |
19 | 28 |
20 static ngx_command_t ngx_imap_ssl_commands[] = { | 29 static ngx_command_t ngx_imap_ssl_commands[] = { |
21 | 30 |
22 { ngx_string("ssl"), | 31 { ngx_string("ssl"), |
38 ngx_conf_set_str_slot, | 47 ngx_conf_set_str_slot, |
39 NGX_IMAP_SRV_CONF_OFFSET, | 48 NGX_IMAP_SRV_CONF_OFFSET, |
40 offsetof(ngx_imap_ssl_conf_t, certificate_key), | 49 offsetof(ngx_imap_ssl_conf_t, certificate_key), |
41 NULL }, | 50 NULL }, |
42 | 51 |
52 { ngx_string("ssl_protocols"), | |
53 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, | |
54 ngx_conf_set_bitmask_slot, | |
55 NGX_IMAP_SRV_CONF_OFFSET, | |
56 offsetof(ngx_imap_ssl_conf_t, protocols), | |
57 &ngx_imap_ssl_protocols }, | |
58 | |
43 { ngx_string("ssl_ciphers"), | 59 { ngx_string("ssl_ciphers"), |
44 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, | 60 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, |
45 ngx_conf_set_str_slot, | 61 ngx_conf_set_str_slot, |
46 NGX_IMAP_SRV_CONF_OFFSET, | 62 NGX_IMAP_SRV_CONF_OFFSET, |
47 offsetof(ngx_imap_ssl_conf_t, ciphers), | 63 offsetof(ngx_imap_ssl_conf_t, ciphers), |
64 NULL }, | |
65 | |
66 { ngx_string("ssl_prefer_server_ciphers"), | |
67 NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_FLAG, | |
68 ngx_conf_set_flag_slot, | |
69 NGX_IMAP_SRV_CONF_OFFSET, | |
70 offsetof(ngx_imap_ssl_conf_t, prefer_server_ciphers), | |
48 NULL }, | 71 NULL }, |
49 | 72 |
50 ngx_null_command | 73 ngx_null_command |
51 }; | 74 }; |
52 | 75 |
90 } | 113 } |
91 | 114 |
92 /* | 115 /* |
93 * set by ngx_pcalloc(): | 116 * set by ngx_pcalloc(): |
94 * | 117 * |
118 * scf->protocols = 0; | |
119 * | |
95 * scf->certificate.len = 0; | 120 * scf->certificate.len = 0; |
96 * scf->certificate.data = NULL; | 121 * scf->certificate.data = NULL; |
97 * scf->certificate_key.len = 0; | 122 * scf->certificate_key.len = 0; |
98 * scf->certificate_key.data = NULL; | 123 * scf->certificate_key.data = NULL; |
99 * scf->ciphers.len = 0; | 124 * scf->ciphers.len = 0; |
100 * scf->ciphers.data = NULL; | 125 * scf->ciphers.data = NULL; |
101 */ | 126 */ |
102 | 127 |
103 scf->enable = NGX_CONF_UNSET; | 128 scf->enable = NGX_CONF_UNSET; |
129 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
104 | 130 |
105 return scf; | 131 return scf; |
106 } | 132 } |
107 | 133 |
108 | 134 |
116 | 142 |
117 if (conf->enable == 0) { | 143 if (conf->enable == 0) { |
118 return NGX_CONF_OK; | 144 return NGX_CONF_OK; |
119 } | 145 } |
120 | 146 |
147 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
148 prev->prefer_server_ciphers, 0); | |
149 | |
150 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
151 (NGX_CONF_BITMASK_SET | |
152 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
153 | |
121 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 154 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
122 NGX_DEFLAUT_CERTIFICATE); | 155 NGX_DEFLAUT_CERTIFICATE); |
123 | 156 |
124 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 157 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
125 NGX_DEFLAUT_CERTIFICATE_KEY); | 158 NGX_DEFLAUT_CERTIFICATE_KEY); |
126 | 159 |
127 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); | 160 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
128 | 161 |
129 | 162 |
130 /* TODO: configure methods */ | 163 conf->ssl.log = cf->log; |
131 | 164 |
132 conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); | 165 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { |
133 | 166 return NGX_CONF_ERROR; |
134 if (conf->ssl_ctx == NULL) { | 167 } |
135 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); | 168 |
136 return NGX_CONF_ERROR; | 169 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) |
137 } | |
138 | |
139 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) | |
140 == NULL) | |
141 { | 170 { |
142 return NGX_CONF_ERROR; | 171 return NGX_CONF_ERROR; |
143 } | 172 } |
144 | 173 |
145 | 174 if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, |
146 #if 0 | 175 conf->certificate_key.data) != NGX_OK) |
147 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); | 176 { |
148 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_NO_SSLv3); | 177 return NGX_CONF_ERROR; |
149 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_SINGLE_DH_USE); | 178 } |
150 #endif | |
151 | 179 |
152 if (conf->ciphers.len) { | 180 if (conf->ciphers.len) { |
153 if (SSL_CTX_set_cipher_list(conf->ssl_ctx, | 181 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
154 (const char *) conf->ciphers.data) == 0) | 182 (const char *) conf->ciphers.data) == 0) |
155 { | 183 { |
156 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 184 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
157 "SSL_CTX_set_cipher_list(\"%V\") failed", | 185 "SSL_CTX_set_cipher_list(\"%V\") failed", |
158 &conf->ciphers); | 186 &conf->ciphers); |
159 } | 187 } |
160 } | 188 } |
161 | 189 |
162 if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, | 190 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
163 (char *) conf->certificate.data) == 0) | 191 return NGX_CONF_ERROR; |
164 { | 192 } |
165 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 193 |
166 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", | 194 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); |
167 conf->certificate.data); | 195 |
168 return NGX_CONF_ERROR; | 196 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_imap_session_id_ctx, |
169 } | |
170 | |
171 | |
172 if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, | |
173 (char *) conf->certificate_key.data, | |
174 SSL_FILETYPE_PEM) == 0) | |
175 { | |
176 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | |
177 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", | |
178 conf->certificate_key.data); | |
179 return NGX_CONF_ERROR; | |
180 } | |
181 | |
182 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); | |
183 | |
184 SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
185 | |
186 SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); | |
187 | |
188 SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); | |
189 | |
190 SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_imap_session_id_ctx, | |
191 sizeof(ngx_imap_session_id_ctx) - 1); | 197 sizeof(ngx_imap_session_id_ctx) - 1); |
192 | 198 |
193 return NGX_CONF_OK; | 199 return NGX_CONF_OK; |
194 } | 200 } |