Mercurial > hg > nginx
annotate src/mail/ngx_mail_ssl_module.c @ 5425:1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
| author | Piotr Sikora <piotr@cloudflare.com> |
|---|---|
| date | Fri, 11 Oct 2013 16:05:24 -0700 |
| parents | 09fc4598fc8e |
| children | d049b0ea00a3 |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
| 14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
| 1136 | 24 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 25 void *conf); |
| 539 | 26 |
| 27 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
28 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 29 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 30 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 31 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 32 { ngx_null_string, 0 } |
| 33 }; | |
| 34 | |
| 35 | |
| 36 | |
| 1136 | 37 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| 547 | 43 { ngx_null_string, 0 } |
| 44 }; | |
| 45 | |
| 46 | |
| 1136 | 47 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 48 |
| 49 { ngx_string("ssl"), | |
| 1136 | 50 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 51 ngx_mail_ssl_enable, |
| 1136 | 52 NGX_MAIL_SRV_CONF_OFFSET, |
| 53 offsetof(ngx_mail_ssl_conf_t, enable), | |
| 539 | 54 NULL }, |
| 55 | |
| 583 | 56 { ngx_string("starttls"), |
| 1136 | 57 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 58 ngx_mail_ssl_starttls, |
| 1136 | 59 NGX_MAIL_SRV_CONF_OFFSET, |
| 60 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
61 ngx_mail_starttls_state }, |
| 583 | 62 |
| 539 | 63 { ngx_string("ssl_certificate"), |
| 1136 | 64 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 65 ngx_conf_set_str_slot, |
| 1136 | 66 NGX_MAIL_SRV_CONF_OFFSET, |
| 67 offsetof(ngx_mail_ssl_conf_t, certificate), | |
| 539 | 68 NULL }, |
| 69 | |
| 70 { ngx_string("ssl_certificate_key"), | |
| 1136 | 71 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 72 ngx_conf_set_str_slot, |
| 1136 | 73 NGX_MAIL_SRV_CONF_OFFSET, |
| 74 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
| 539 | 75 NULL }, |
| 76 | |
| 2044 | 77 { ngx_string("ssl_dhparam"), |
| 78 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 79 ngx_conf_set_str_slot, | |
| 80 NGX_MAIL_SRV_CONF_OFFSET, | |
| 81 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 82 NULL }, | |
| 83 | |
| 3960 | 84 { ngx_string("ssl_ecdh_curve"), |
| 85 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 86 ngx_conf_set_str_slot, | |
| 87 NGX_MAIL_SRV_CONF_OFFSET, | |
| 88 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 89 NULL }, | |
| 90 | |
| 547 | 91 { ngx_string("ssl_protocols"), |
| 1136 | 92 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 93 ngx_conf_set_bitmask_slot, |
| 1136 | 94 NGX_MAIL_SRV_CONF_OFFSET, |
| 95 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 96 &ngx_mail_ssl_protocols }, | |
| 547 | 97 |
| 539 | 98 { ngx_string("ssl_ciphers"), |
| 1136 | 99 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 100 ngx_conf_set_str_slot, |
| 1136 | 101 NGX_MAIL_SRV_CONF_OFFSET, |
| 102 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 103 NULL }, |
| 104 | |
| 547 | 105 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 106 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 107 ngx_conf_set_flag_slot, |
| 1136 | 108 NGX_MAIL_SRV_CONF_OFFSET, |
| 109 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 110 NULL }, |
| 563 | 111 |
| 976 | 112 { ngx_string("ssl_session_cache"), |
| 1136 | 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 114 ngx_mail_ssl_session_cache, | |
| 115 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 116 0, |
| 117 NULL }, | |
| 118 | |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
119 { ngx_string("ssl_session_ticket_key"), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
121 ngx_conf_set_str_array_slot, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
122 NGX_MAIL_SRV_CONF_OFFSET, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
123 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
124 NULL }, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
125 |
| 573 | 126 { ngx_string("ssl_session_timeout"), |
| 1136 | 127 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 128 ngx_conf_set_sec_slot, |
| 1136 | 129 NGX_MAIL_SRV_CONF_OFFSET, |
| 130 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 131 NULL }, |
| 547 | 132 |
| 539 | 133 ngx_null_command |
| 134 }; | |
| 135 | |
| 136 | |
| 1136 | 137 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
138 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
139 |
| 539 | 140 NULL, /* create main configuration */ |
| 141 NULL, /* init main configuration */ | |
| 142 | |
| 1136 | 143 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 144 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 145 }; |
| 146 | |
| 147 | |
| 1136 | 148 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 149 NGX_MODULE_V1, |
| 1136 | 150 &ngx_mail_ssl_module_ctx, /* module context */ |
| 151 ngx_mail_ssl_commands, /* module directives */ | |
| 152 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 153 NULL, /* init master */ |
| 539 | 154 NULL, /* init module */ |
| 541 | 155 NULL, /* init process */ |
| 156 NULL, /* init thread */ | |
| 157 NULL, /* exit thread */ | |
| 158 NULL, /* exit process */ | |
| 159 NULL, /* exit master */ | |
| 160 NGX_MODULE_V1_PADDING | |
| 539 | 161 }; |
| 162 | |
| 163 | |
| 1136 | 164 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 165 |
| 166 | |
| 539 | 167 static void * |
| 1136 | 168 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 169 { |
| 1136 | 170 ngx_mail_ssl_conf_t *scf; |
| 577 | 171 |
| 1136 | 172 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 173 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
174 return NULL; |
| 539 | 175 } |
| 176 | |
| 177 /* | |
| 577 | 178 * set by ngx_pcalloc(): |
| 539 | 179 * |
| 547 | 180 * scf->protocols = 0; |
| 2044 | 181 * scf->certificate = { 0, NULL }; |
| 182 * scf->certificate_key = { 0, NULL }; | |
| 183 * scf->dhparam = { 0, NULL }; | |
| 3960 | 184 * scf->ecdh_curve = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
185 * scf->ciphers = { 0, NULL }; |
| 976 | 186 * scf->shm_zone = NULL; |
| 539 | 187 */ |
| 188 | |
| 189 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 190 scf->starttls = NGX_CONF_UNSET_UINT; |
| 976 | 191 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 192 scf->builtin_session_cache = NGX_CONF_UNSET; | |
| 573 | 193 scf->session_timeout = NGX_CONF_UNSET; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
194 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 539 | 195 |
| 196 return scf; | |
| 197 } | |
| 198 | |
| 199 | |
| 200 static char * | |
| 1136 | 201 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 202 { |
| 1136 | 203 ngx_mail_ssl_conf_t *prev = parent; |
| 204 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 205 |
| 2224 | 206 char *mode; |
| 563 | 207 ngx_pool_cleanup_t *cln; |
| 208 | |
| 539 | 209 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 210 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 211 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 212 |
| 573 | 213 ngx_conf_merge_value(conf->session_timeout, |
| 214 prev->session_timeout, 300); | |
| 215 | |
| 547 | 216 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 217 prev->prefer_server_ciphers, 0); | |
| 218 | |
| 219 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
220 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
221 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 222 |
| 2224 | 223 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
| 224 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
| 539 | 225 |
| 2044 | 226 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 227 | |
| 3960 | 228 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 229 NGX_DEFAULT_ECDH_CURVE); | |
| 230 | |
| 2124 | 231 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 232 |
| 233 | |
| 547 | 234 conf->ssl.log = cf->log; |
| 539 | 235 |
| 2224 | 236 if (conf->enable) { |
| 237 mode = "ssl"; | |
| 238 | |
| 239 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 240 mode = "starttls"; | |
| 241 | |
| 242 } else { | |
| 243 mode = ""; | |
| 244 } | |
| 245 | |
|
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
246 if (conf->file == NULL) { |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
247 conf->file = prev->file; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
248 conf->line = prev->line; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
249 } |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
250 |
| 2224 | 251 if (*mode) { |
| 252 | |
| 253 if (conf->certificate.len == 0) { | |
| 254 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 255 "no \"ssl_certificate\" is defined for " | |
| 256 "the \"%s\" directive in %s:%ui", | |
| 257 mode, conf->file, conf->line); | |
| 258 return NGX_CONF_ERROR; | |
| 259 } | |
| 260 | |
| 261 if (conf->certificate_key.len == 0) { | |
| 262 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 263 "no \"ssl_certificate_key\" is defined for " | |
| 264 "the \"%s\" directive in %s:%ui", | |
| 265 mode, conf->file, conf->line); | |
| 266 return NGX_CONF_ERROR; | |
| 267 } | |
| 268 | |
| 269 } else { | |
| 270 | |
| 271 if (conf->certificate.len == 0) { | |
| 272 return NGX_CONF_OK; | |
| 273 } | |
| 274 | |
| 275 if (conf->certificate_key.len == 0) { | |
| 276 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 277 "no \"ssl_certificate_key\" is defined " | |
| 278 "for certificate \"%V\"", | |
| 279 &conf->certificate); | |
| 280 return NGX_CONF_ERROR; | |
| 281 } | |
| 282 } | |
| 283 | |
| 969 | 284 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 285 return NGX_CONF_ERROR; |
| 286 } | |
| 287 | |
| 563 | 288 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 289 if (cln == NULL) { | |
| 539 | 290 return NGX_CONF_ERROR; |
| 291 } | |
| 292 | |
| 563 | 293 cln->handler = ngx_ssl_cleanup_ctx; |
| 294 cln->data = &conf->ssl; | |
| 295 | |
| 296 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
| 297 &conf->certificate_key) | |
| 298 != NGX_OK) | |
| 547 | 299 { |
| 300 return NGX_CONF_ERROR; | |
| 301 } | |
| 539 | 302 |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
303 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
304 (const char *) conf->ciphers.data) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
305 == 0) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
306 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
307 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
308 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
309 &conf->ciphers); |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
310 return NGX_CONF_ERROR; |
| 539 | 311 } |
| 312 | |
| 563 | 313 if (conf->prefer_server_ciphers) { |
| 314 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
| 315 } | |
| 316 | |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
317 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
| 539 | 318 |
| 2044 | 319 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 320 return NGX_CONF_ERROR; | |
| 321 } | |
| 322 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
323 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
324 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
325 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
326 |
| 976 | 327 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 328 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 329 |
| 330 if (conf->shm_zone == NULL) { | |
| 331 conf->shm_zone = prev->shm_zone; | |
| 332 } | |
| 539 | 333 |
| 1136 | 334 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
| 976 | 335 conf->builtin_session_cache, |
| 336 conf->shm_zone, conf->session_timeout) | |
| 337 != NGX_OK) | |
| 338 { | |
| 339 return NGX_CONF_ERROR; | |
| 340 } | |
| 573 | 341 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
342 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
343 prev->session_ticket_keys, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
344 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
345 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
346 != NGX_OK) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
347 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
348 return NGX_CONF_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
349 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
350 |
| 539 | 351 return NGX_CONF_OK; |
| 352 } | |
| 563 | 353 |
| 577 | 354 |
| 976 | 355 static char * |
| 2224 | 356 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 357 { | |
| 358 ngx_mail_ssl_conf_t *scf = conf; | |
| 359 | |
| 360 char *rv; | |
| 361 | |
| 362 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 363 | |
| 364 if (rv != NGX_CONF_OK) { | |
| 365 return rv; | |
| 366 } | |
| 367 | |
| 368 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 369 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 370 "\"starttls\" directive conflicts with \"ssl on\""); | |
| 371 return NGX_CONF_ERROR; | |
| 372 } | |
| 373 | |
| 374 scf->file = cf->conf_file->file.name.data; | |
| 375 scf->line = cf->conf_file->line; | |
| 376 | |
| 377 return NGX_CONF_OK; | |
| 378 } | |
| 379 | |
| 380 | |
| 381 static char * | |
| 382 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 383 { | |
| 384 ngx_mail_ssl_conf_t *scf = conf; | |
| 385 | |
| 386 char *rv; | |
| 387 | |
| 388 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 389 | |
| 390 if (rv != NGX_CONF_OK) { | |
| 391 return rv; | |
| 392 } | |
| 393 | |
| 394 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 395 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 396 "\"ssl\" directive conflicts with \"starttls\""); | |
| 397 return NGX_CONF_ERROR; | |
| 398 } | |
| 399 | |
| 400 scf->file = cf->conf_file->file.name.data; | |
| 401 scf->line = cf->conf_file->line; | |
| 402 | |
| 403 return NGX_CONF_OK; | |
| 404 } | |
| 405 | |
| 406 | |
| 407 static char * | |
| 1136 | 408 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 409 { |
| 1136 | 410 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 411 |
| 412 size_t len; | |
| 413 ngx_str_t *value, name, size; | |
| 414 ngx_int_t n; | |
| 415 ngx_uint_t i, j; | |
| 416 | |
| 417 value = cf->args->elts; | |
| 418 | |
| 419 for (i = 1; i < cf->args->nelts; i++) { | |
| 420 | |
| 1778 | 421 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 422 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 423 continue; | |
| 424 } | |
| 425 | |
| 2032 | 426 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 427 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 428 continue; | |
| 429 } | |
| 430 | |
| 976 | 431 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 432 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 433 continue; | |
| 434 } | |
| 435 | |
| 436 if (value[i].len > sizeof("builtin:") - 1 | |
| 437 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 438 == 0) | |
| 439 { | |
| 440 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 441 value[i].len - (sizeof("builtin:") - 1)); | |
| 442 | |
| 443 if (n == NGX_ERROR) { | |
| 444 goto invalid; | |
| 445 } | |
| 446 | |
| 447 scf->builtin_session_cache = n; | |
| 448 | |
| 449 continue; | |
| 450 } | |
| 451 | |
| 452 if (value[i].len > sizeof("shared:") - 1 | |
| 453 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 454 == 0) | |
| 455 { | |
| 456 len = 0; | |
| 457 | |
| 458 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 459 if (value[i].data[j] == ':') { | |
| 460 break; | |
| 461 } | |
| 462 | |
| 463 len++; | |
| 464 } | |
| 465 | |
| 466 if (len == 0) { | |
| 467 goto invalid; | |
| 468 } | |
| 469 | |
| 470 name.len = len; | |
| 471 name.data = value[i].data + sizeof("shared:") - 1; | |
| 472 | |
| 473 size.len = value[i].len - j - 1; | |
| 474 size.data = name.data + len + 1; | |
| 475 | |
| 476 n = ngx_parse_size(&size); | |
| 477 | |
| 478 if (n == NGX_ERROR) { | |
| 479 goto invalid; | |
| 480 } | |
| 481 | |
| 482 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 483 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 484 "session cache \"%V\" is too small", | |
| 485 &value[i]); | |
| 486 | |
| 487 return NGX_CONF_ERROR; | |
| 488 } | |
| 489 | |
| 490 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 491 &ngx_mail_ssl_module); |
| 976 | 492 if (scf->shm_zone == NULL) { |
| 493 return NGX_CONF_ERROR; | |
| 494 } | |
| 495 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
496 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
497 |
| 976 | 498 continue; |
| 499 } | |
| 500 | |
| 501 goto invalid; | |
| 502 } | |
| 503 | |
| 504 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 505 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 506 } | |
| 507 | |
| 508 return NGX_CONF_OK; | |
| 509 | |
| 510 invalid: | |
| 511 | |
| 512 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 513 "invalid session cache \"%V\"", &value[i]); | |
| 514 | |
| 515 return NGX_CONF_ERROR; | |
| 516 } |