Mercurial > hg > nginx

annotate src/event/ngx_event_openssl.h @ 9078:0f4f781e57c1 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: using ngx_ssl_handshake_log().
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 23 Feb 2023 16:17:29 +0400
parents 3be953161026
children ee40e2b1d083
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2 /*
444
42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents: 441
diff changeset
3 * Copyright (C) Igor Sysoev
4412
d620f497c50f Copyright updated.
Maxim Konovalov <maxim@nginx.com>
parents: 4400
diff changeset
4 * Copyright (C) Nginx, Inc.
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
6
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
7
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
10
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
11
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
12 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
13 #include <ngx_core.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
14
7898
8f7107617550 SSL: silenced warnings when building with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
15 #define OPENSSL_SUPPRESS_DEPRECATED
8f7107617550 SSL: silenced warnings when building with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
16
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
17 #include <openssl/ssl.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
18 #include <openssl/err.h>
5753
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
19 #include <openssl/bn.h>
968
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
20 #include <openssl/conf.h>
5753
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
21 #include <openssl/crypto.h>
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
22 #include <openssl/dh.h>
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5753
diff changeset
23 #ifndef OPENSSL_NO_ENGINE
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
24 #include <openssl/engine.h>
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5753
diff changeset
25 #endif
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3300
diff changeset
26 #include <openssl/evp.h>
8668
af6363758ef9 QUIC: fixed build with OpenSSL < 1.1.1.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8618
diff changeset
27 #if (NGX_QUIC)
8171
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8167
diff changeset
28 #ifdef OPENSSL_IS_BORINGSSL
8167
5d91389e0fd3 Initial QUIC support in http.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7612
diff changeset
29 #include <openssl/hkdf.h>
8203
ec0c44aa2881 Chacha20 header protection support with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8171
diff changeset
30 #include <openssl/chacha.h>
8171
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8167
diff changeset
31 #else
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8167
diff changeset
32 #include <openssl/kdf.h>
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8167
diff changeset
33 #endif
8668
af6363758ef9 QUIC: fixed build with OpenSSL < 1.1.1.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8618
diff changeset
34 #endif
7132
8076ba459f05 SSL: include <openssl/hmac.h>.
Alessandro Ghedini <alessandro@ghedini.me>
parents: 7091
diff changeset
35 #include <openssl/hmac.h>
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5753
diff changeset
36 #ifndef OPENSSL_NO_OCSP
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
37 #include <openssl/ocsp.h>
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5753
diff changeset
38 #endif
5753
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
39 #include <openssl/rand.h>
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
40 #include <openssl/x509.h>
febce92c82f6 SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents: 5744
diff changeset
41 #include <openssl/x509v3.h>
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
42
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
43 #define NGX_SSL_NAME "OpenSSL"
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
44
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
45
6485
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
46 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
47 #undef OPENSSL_VERSION_NUMBER
7337
cab37803ebb3 SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
48 #if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL)
cab37803ebb3 SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
49 #define OPENSSL_VERSION_NUMBER 0x1010000fL
cab37803ebb3 SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
50 #else
6485
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
51 #define OPENSSL_VERSION_NUMBER 0x1000107fL
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
52 #endif
7337
cab37803ebb3 SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
53 #endif
6485
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
54
382fc7069e3a SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
55
6492
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
56 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
57
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
58 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION)
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
59
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
60 #else
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
61
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
62 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION)
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
63
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
64 #endif
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
65
3b77efe05b92 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
66
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
67 #define ngx_ssl_session_t SSL_SESSION
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
68 #define ngx_ssl_conn_t SSL
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
69
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
70
6982
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
71 #if (OPENSSL_VERSION_NUMBER < 0x10002000L)
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
72 #define SSL_is_server(s) (s)->server
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
73 #endif
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
74
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
75
7895
8ebda26e4f98 SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
76 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate)
8ebda26e4f98 SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
77 #define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s)
8ebda26e4f98 SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
78 #endif
8ebda26e4f98 SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
79
8ebda26e4f98 SSL: SSL_get_peer_certificate() is deprecated in OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
80
7897
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7895
diff changeset
81 #if (OPENSSL_VERSION_NUMBER < 0x30000000L && !defined ERR_peek_error_data)
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7895
diff changeset
82 #define ERR_peek_error_data(d, f) ERR_peek_error_line_data(NULL, NULL, d, f)
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7895
diff changeset
83 #endif
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7895
diff changeset
84
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7895
diff changeset
85
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
86 typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
87
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
88
6735
e38e9c50a40e Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6591
diff changeset
89 struct ngx_ssl_s {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
90 SSL_CTX *ctx;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
91 ngx_log_t *log;
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
92 size_t buffer_size;
6735
e38e9c50a40e Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6591
diff changeset
93 };
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
94
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
95
6735
e38e9c50a40e Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6591
diff changeset
96 struct ngx_ssl_connection_s {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
97 ngx_ssl_conn_t *connection;
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5882
diff changeset
98 SSL_CTX *session_ctx;
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
99
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
100 ngx_int_t last;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
101 ngx_buf_t *buf;
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
102 size_t buffer_size;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
103
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
104 ngx_connection_handler_pt handler;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
105
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
106 ngx_ssl_session_t *session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
107 ngx_connection_handler_pt save_session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
108
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
109 ngx_event_handler_pt saved_read_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
110 ngx_event_handler_pt saved_write_handler;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
111
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
112 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
113
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7337
diff changeset
114 u_char early_buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7337
diff changeset
115
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
116 unsigned handshaked:1;
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
117 unsigned handshake_rejected:1;
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
118 unsigned renegotiation:1;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
119 unsigned buffer:1;
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7935
diff changeset
120 unsigned sendfile:1;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
121 unsigned no_wait_shutdown:1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
122 unsigned no_send_shutdown:1;
7871
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7732
diff changeset
123 unsigned shutdown_without_free:1;
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5223
diff changeset
124 unsigned handshake_buffer_set:1;
8086
496241338da5 SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8085
diff changeset
125 unsigned session_timeout_set:1;
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7337
diff changeset
126 unsigned try_early_data:1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7337
diff changeset
127 unsigned in_early:1;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
128 unsigned in_ocsp:1;
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7337
diff changeset
129 unsigned early_preread:1;
7431
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7357
diff changeset
130 unsigned write_blocked:1;
6735
e38e9c50a40e Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6591
diff changeset
131 };
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
132
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
133
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1924
diff changeset
134 #define NGX_SSL_NO_SCACHE -2
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1924
diff changeset
135 #define NGX_SSL_NONE_SCACHE -3
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1924
diff changeset
136 #define NGX_SSL_NO_BUILTIN_SCACHE -4
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1924
diff changeset
137 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
138
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
139
1778
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
140 #define NGX_SSL_MAX_SESSION_SIZE 4096
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
141
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
142 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
143
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
144 struct ngx_ssl_sess_id_s {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
145 ngx_rbtree_node_t node;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
146 size_t len;
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
147 ngx_queue_t queue;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
148 time_t expire;
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
149 u_char id[32];
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1014
diff changeset
150 #if (NGX_PTR_SIZE == 8)
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
151 u_char *session;
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
152 #else
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
153 u_char session[1];
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1014
diff changeset
154 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
155 };
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
156
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
157
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
158 typedef struct {
8084
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
159 u_char name[16];
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
160 u_char hmac_key[32];
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
161 u_char aes_key[32];
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
162 time_t expire;
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
163 unsigned size:8;
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
164 unsigned shared:1;
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
165 } ngx_ssl_ticket_key_t;
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
166
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
167
0f3d98e4bcc5 SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8082
diff changeset
168 typedef struct {
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1017
diff changeset
169 ngx_rbtree_t session_rbtree;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1017
diff changeset
170 ngx_rbtree_node_t sentinel;
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
171 ngx_queue_t expire_queue;
8085
043006e5a0b1 SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8084
diff changeset
172 ngx_ssl_ticket_key_t ticket_keys[3];
8075
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
173 time_t fail_time;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
174 } ngx_ssl_session_cache_t;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
175
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
176
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
177 #define NGX_SSL_SSLv2 0x0002
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
178 #define NGX_SSL_SSLv3 0x0004
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
179 #define NGX_SSL_TLSv1 0x0008
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
180 #define NGX_SSL_TLSv1_1 0x0010
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
181 #define NGX_SSL_TLSv1_2 0x0020
6981
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
182 #define NGX_SSL_TLSv1_3 0x0040
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
183
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
184
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
185 #define NGX_SSL_BUFFER 1
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
186 #define NGX_SSL_CLIENT 2
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
187
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
188 #define NGX_SSL_BUFSIZE 16384
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
189
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
190
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
191 ngx_int_t ngx_ssl_init(ngx_log_t *log);
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
192 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
7461
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7431
diff changeset
193
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
194 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
195 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
196 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
197 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
7461
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7431
diff changeset
198 ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7431
diff changeset
199 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7431
diff changeset
200
6591
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6550
diff changeset
201 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6550
diff changeset
202 ngx_uint_t prefer_server_ciphers);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
203 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
204 ngx_str_t *cert, ngx_int_t depth);
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
205 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
206 ngx_str_t *cert, ngx_int_t depth);
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
207 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
208 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
4879
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
209 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
210 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
211 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
212 ngx_int_t ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
213 ngx_uint_t depth, ngx_shm_zone_t *shm_zone);
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
214 ngx_int_t ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
215 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
8080
bf02161f291e SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8078
diff changeset
216
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
217 ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
218 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
219 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
220 ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
8080
bf02161f291e SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8078
diff changeset
221
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
222 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
7463
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
223 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
224 ngx_array_t *passwords);
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
225 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
226 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
227 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
228 ngx_uint_t enable);
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
229 ngx_int_t ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
230 ngx_array_t *commands);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
231
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
232 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
233 ngx_uint_t enable);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
234 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
235 ngx_array_t *certificates, ssize_t builtin_session_cache,
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
236 ngx_shm_zone_t *shm_zone, time_t timeout);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5395
diff changeset
237 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5395
diff changeset
238 ngx_array_t *paths);
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
239 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
240
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
241 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
242 ngx_uint_t flags);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
243
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
244 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
245 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
246 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7132
diff changeset
247 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c);
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
248 #define ngx_ssl_free_session SSL_SESSION_free
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
249 #define ngx_ssl_get_connection(ssl_conn) \
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
250 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
251 #define ngx_ssl_get_server_conf(ssl_ctx) \
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
252 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
253
4884
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
254 #define ngx_ssl_verify_error_optional(n) \
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
255 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
256 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
257 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
258 || n == X509_V_ERR_CERT_UNTRUSTED \
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
259 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
260
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
261 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
262
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
263
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
264 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
265 ngx_str_t *s);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
266 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
267 ngx_str_t *s);
6816
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
268 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool,
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
269 ngx_str_t *s);
7973
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
270 ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool,
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
271 ngx_str_t *s);
6817
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
272 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
273 ngx_str_t *s);
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 2996
diff changeset
274 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 2996
diff changeset
275 ngx_str_t *s);
5573
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5487
diff changeset
276 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5487
diff changeset
277 ngx_str_t *s);
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
278 ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
279 ngx_str_t *s);
5658
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
280 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
281 ngx_str_t *s);
7935
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7900
diff changeset
282 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool,
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7900
diff changeset
283 ngx_str_t *s);
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
284 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
285 ngx_str_t *s);
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
286 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
287 ngx_str_t *s);
7091
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6982
diff changeset
288 ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6982
diff changeset
289 ngx_str_t *s);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
290 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
291 ngx_str_t *s);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
292 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
293 ngx_str_t *s);
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6735
diff changeset
294 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6735
diff changeset
295 ngx_str_t *s);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6735
diff changeset
296 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6735
diff changeset
297 ngx_str_t *s);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
298 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
299 ngx_str_t *s);
5700
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5661
diff changeset
300 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5661
diff changeset
301 ngx_str_t *s);
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2123
diff changeset
302 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2123
diff changeset
303 ngx_str_t *s);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
304 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
305 ngx_str_t *s);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
306 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
307 ngx_str_t *s);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
308 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
309 ngx_str_t *s);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
310
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
311
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
312 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
9078
0f4f781e57c1 QUIC: using ngx_ssl_handshake_log().
Sergey Kandaurov <pluknet@nginx.com>
parents: 9035
diff changeset
313 #if (NGX_DEBUG)
0f4f781e57c1 QUIC: using ngx_ssl_handshake_log().
Sergey Kandaurov <pluknet@nginx.com>
parents: 9035
diff changeset
314 void ngx_ssl_handshake_log(ngx_connection_t *c);
0f4f781e57c1 QUIC: using ngx_ssl_handshake_log().
Sergey Kandaurov <pluknet@nginx.com>
parents: 9035
diff changeset
315 #endif
469
2ff194b74f1e nginx-0.1.9-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
316 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size);
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 509
diff changeset
317 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size);
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5777
diff changeset
318 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
319 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in,
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
320 off_t limit);
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
321 void ngx_ssl_free_buffer(ngx_connection_t *c);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
322 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c);
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
323 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
324 char *fmt, ...);
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 489
diff changeset
325 void ngx_ssl_cleanup_ctx(void *data);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
326
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
327
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
328 extern int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
329 extern int ngx_ssl_server_conf_index;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
330 extern int ngx_ssl_session_cache_index;
8082
c71e113b57d8 SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8081
diff changeset
331 extern int ngx_ssl_ticket_keys_index;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7612
diff changeset
332 extern int ngx_ssl_ocsp_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
333 extern int ngx_ssl_certificate_index;
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6492
diff changeset
334 extern int ngx_ssl_next_certificate_index;
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
335 extern int ngx_ssl_certificate_name_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
336 extern int ngx_ssl_stapling_index;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
337
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
338
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
339 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */