Mercurial > hg > nginx
annotate src/mail/ngx_mail_ssl_module.c @ 6553:2014ed60f17f
SSL: support for multiple curves (ticket #885).
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported. This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.
The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used". For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used. The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).
As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | 51e1f047d15d |
| children | 04d8d1f85649 |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
| 1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 27 void *conf); |
| 539 | 28 |
| 29 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 34 { ngx_null_string, 0 } |
| 35 }; | |
| 36 | |
| 37 | |
| 38 | |
| 1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| 547 | 45 { ngx_null_string, 0 } |
| 46 }; | |
| 47 | |
| 48 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
49 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
50 { ngx_string("off"), 0 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
51 { ngx_string("on"), 1 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
52 { ngx_string("optional"), 2 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 { ngx_string("optional_no_ca"), 3 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_null_string, 0 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 |
| 1136 | 58 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 59 |
| 60 { ngx_string("ssl"), | |
| 1136 | 61 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 62 ngx_mail_ssl_enable, |
| 1136 | 63 NGX_MAIL_SRV_CONF_OFFSET, |
| 64 offsetof(ngx_mail_ssl_conf_t, enable), | |
| 539 | 65 NULL }, |
| 66 | |
| 583 | 67 { ngx_string("starttls"), |
| 1136 | 68 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 69 ngx_mail_ssl_starttls, |
| 1136 | 70 NGX_MAIL_SRV_CONF_OFFSET, |
| 71 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
72 ngx_mail_starttls_state }, |
| 583 | 73 |
| 539 | 74 { ngx_string("ssl_certificate"), |
| 1136 | 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
76 ngx_conf_set_str_array_slot, |
| 1136 | 77 NGX_MAIL_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
78 offsetof(ngx_mail_ssl_conf_t, certificates), |
| 539 | 79 NULL }, |
| 80 | |
| 81 { ngx_string("ssl_certificate_key"), | |
| 1136 | 82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
83 ngx_conf_set_str_array_slot, |
| 1136 | 84 NGX_MAIL_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
85 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
| 539 | 86 NULL }, |
| 87 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
88 { ngx_string("ssl_password_file"), |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
90 ngx_mail_ssl_password_file, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
91 NGX_MAIL_SRV_CONF_OFFSET, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
92 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
93 NULL }, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 |
| 2044 | 95 { ngx_string("ssl_dhparam"), |
| 96 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 97 ngx_conf_set_str_slot, | |
| 98 NGX_MAIL_SRV_CONF_OFFSET, | |
| 99 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 100 NULL }, | |
| 101 | |
| 3960 | 102 { ngx_string("ssl_ecdh_curve"), |
| 103 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 104 ngx_conf_set_str_slot, | |
| 105 NGX_MAIL_SRV_CONF_OFFSET, | |
| 106 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 107 NULL }, | |
| 108 | |
| 547 | 109 { ngx_string("ssl_protocols"), |
| 1136 | 110 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 111 ngx_conf_set_bitmask_slot, |
| 1136 | 112 NGX_MAIL_SRV_CONF_OFFSET, |
| 113 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 114 &ngx_mail_ssl_protocols }, | |
| 547 | 115 |
| 539 | 116 { ngx_string("ssl_ciphers"), |
| 1136 | 117 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 118 ngx_conf_set_str_slot, |
| 1136 | 119 NGX_MAIL_SRV_CONF_OFFSET, |
| 120 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 121 NULL }, |
| 122 | |
| 547 | 123 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 124 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 125 ngx_conf_set_flag_slot, |
| 1136 | 126 NGX_MAIL_SRV_CONF_OFFSET, |
| 127 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 128 NULL }, |
| 563 | 129 |
| 976 | 130 { ngx_string("ssl_session_cache"), |
| 1136 | 131 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 132 ngx_mail_ssl_session_cache, | |
| 133 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 134 0, |
| 135 NULL }, | |
| 136 | |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
137 { ngx_string("ssl_session_tickets"), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
138 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
139 ngx_conf_set_flag_slot, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
140 NGX_MAIL_SRV_CONF_OFFSET, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
141 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
142 NULL }, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
144 { ngx_string("ssl_session_ticket_key"), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
145 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
146 ngx_conf_set_str_array_slot, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
147 NGX_MAIL_SRV_CONF_OFFSET, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
148 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
149 NULL }, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 |
| 573 | 151 { ngx_string("ssl_session_timeout"), |
| 1136 | 152 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 153 ngx_conf_set_sec_slot, |
| 1136 | 154 NGX_MAIL_SRV_CONF_OFFSET, |
| 155 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 156 NULL }, |
| 547 | 157 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
158 { ngx_string("ssl_verify_client"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
159 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
160 ngx_conf_set_enum_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
161 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
162 offsetof(ngx_mail_ssl_conf_t, verify), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
163 &ngx_mail_ssl_verify }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 { ngx_string("ssl_verify_depth"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 ngx_conf_set_num_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 { ngx_string("ssl_client_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 { ngx_string("ssl_trusted_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 { ngx_string("ssl_crl"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 offsetof(ngx_mail_ssl_conf_t, crl), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 |
| 539 | 193 ngx_null_command |
| 194 }; | |
| 195 | |
| 196 | |
| 1136 | 197 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
198 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
199 |
| 539 | 200 NULL, /* create main configuration */ |
| 201 NULL, /* init main configuration */ | |
| 202 | |
| 1136 | 203 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 204 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 205 }; |
| 206 | |
| 207 | |
| 1136 | 208 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 209 NGX_MODULE_V1, |
| 1136 | 210 &ngx_mail_ssl_module_ctx, /* module context */ |
| 211 ngx_mail_ssl_commands, /* module directives */ | |
| 212 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 213 NULL, /* init master */ |
| 539 | 214 NULL, /* init module */ |
| 541 | 215 NULL, /* init process */ |
| 216 NULL, /* init thread */ | |
| 217 NULL, /* exit thread */ | |
| 218 NULL, /* exit process */ | |
| 219 NULL, /* exit master */ | |
| 220 NGX_MODULE_V1_PADDING | |
| 539 | 221 }; |
| 222 | |
| 223 | |
| 1136 | 224 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 225 |
| 226 | |
| 539 | 227 static void * |
| 1136 | 228 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 229 { |
| 1136 | 230 ngx_mail_ssl_conf_t *scf; |
| 577 | 231 |
| 1136 | 232 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 233 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
234 return NULL; |
| 539 | 235 } |
| 236 | |
| 237 /* | |
| 577 | 238 * set by ngx_pcalloc(): |
| 539 | 239 * |
| 547 | 240 * scf->protocols = 0; |
| 2044 | 241 * scf->dhparam = { 0, NULL }; |
| 3960 | 242 * scf->ecdh_curve = { 0, NULL }; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
243 * scf->client_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
244 * scf->trusted_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
245 * scf->crl = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
246 * scf->ciphers = { 0, NULL }; |
| 976 | 247 * scf->shm_zone = NULL; |
| 539 | 248 */ |
| 249 | |
| 250 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 251 scf->starttls = NGX_CONF_UNSET_UINT; |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
252 scf->certificates = NGX_CONF_UNSET_PTR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
253 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
254 scf->passwords = NGX_CONF_UNSET_PTR; |
| 976 | 255 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
256 scf->verify = NGX_CONF_UNSET_UINT; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
257 scf->verify_depth = NGX_CONF_UNSET_UINT; |
| 976 | 258 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 573 | 259 scf->session_timeout = NGX_CONF_UNSET; |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
260 scf->session_tickets = NGX_CONF_UNSET; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
261 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 539 | 262 |
| 263 return scf; | |
| 264 } | |
| 265 | |
| 266 | |
| 267 static char * | |
| 1136 | 268 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 269 { |
| 1136 | 270 ngx_mail_ssl_conf_t *prev = parent; |
| 271 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 272 |
| 2224 | 273 char *mode; |
| 563 | 274 ngx_pool_cleanup_t *cln; |
| 275 | |
| 539 | 276 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 277 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 278 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 279 |
| 573 | 280 ngx_conf_merge_value(conf->session_timeout, |
| 281 prev->session_timeout, 300); | |
| 282 | |
| 547 | 283 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 284 prev->prefer_server_ciphers, 0); | |
| 285 | |
| 286 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
287 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 289 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
292 |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
293 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
294 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
295 NULL); |
| 539 | 296 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
297 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
298 |
| 2044 | 299 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 300 | |
| 3960 | 301 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 302 NGX_DEFAULT_ECDH_CURVE); | |
| 303 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
304 ngx_conf_merge_str_value(conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
305 prev->client_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
306 ngx_conf_merge_str_value(conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
307 prev->trusted_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
308 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
309 |
| 2124 | 310 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 311 |
| 312 | |
| 547 | 313 conf->ssl.log = cf->log; |
| 539 | 314 |
| 2224 | 315 if (conf->enable) { |
| 6474 | 316 mode = "ssl"; |
| 2224 | 317 |
| 318 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 6474 | 319 mode = "starttls"; |
| 2224 | 320 |
| 321 } else { | |
| 6474 | 322 mode = ""; |
| 2224 | 323 } |
| 324 | |
|
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
325 if (conf->file == NULL) { |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
326 conf->file = prev->file; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
327 conf->line = prev->line; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
328 } |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
329 |
| 2224 | 330 if (*mode) { |
| 331 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
332 if (conf->certificates == NULL) { |
| 2224 | 333 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 334 "no \"ssl_certificate\" is defined for " | |
| 335 "the \"%s\" directive in %s:%ui", | |
| 336 mode, conf->file, conf->line); | |
| 337 return NGX_CONF_ERROR; | |
| 338 } | |
| 339 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
340 if (conf->certificate_keys == NULL) { |
| 2224 | 341 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 342 "no \"ssl_certificate_key\" is defined for " | |
| 343 "the \"%s\" directive in %s:%ui", | |
| 344 mode, conf->file, conf->line); | |
| 345 return NGX_CONF_ERROR; | |
| 346 } | |
| 347 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
348 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
349 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
350 "no \"ssl_certificate_key\" is defined " |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
351 "for certificate \"%V\" and " |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
352 "the \"ssl\" directive in %s:%ui", |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
353 ((ngx_str_t *) conf->certificates->elts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
354 + conf->certificates->nelts - 1, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
355 conf->file, conf->line); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
356 return NGX_CONF_ERROR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
357 } |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
358 |
| 2224 | 359 } else { |
| 360 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
361 if (conf->certificates == NULL) { |
| 2224 | 362 return NGX_CONF_OK; |
| 363 } | |
| 364 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
365 if (conf->certificate_keys == NULL |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
366 || conf->certificate_keys->nelts < conf->certificates->nelts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
367 { |
| 2224 | 368 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 369 "no \"ssl_certificate_key\" is defined " | |
| 370 "for certificate \"%V\"", | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
371 ((ngx_str_t *) conf->certificates->elts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
372 + conf->certificates->nelts - 1); |
| 2224 | 373 return NGX_CONF_ERROR; |
| 374 } | |
| 375 } | |
| 376 | |
| 969 | 377 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 378 return NGX_CONF_ERROR; |
| 379 } | |
| 380 | |
| 563 | 381 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 382 if (cln == NULL) { | |
| 539 | 383 return NGX_CONF_ERROR; |
| 384 } | |
| 385 | |
| 563 | 386 cln->handler = ngx_ssl_cleanup_ctx; |
| 387 cln->data = &conf->ssl; | |
| 388 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
389 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
390 conf->certificate_keys, conf->passwords) |
| 563 | 391 != NGX_OK) |
| 547 | 392 { |
| 393 return NGX_CONF_ERROR; | |
| 394 } | |
| 539 | 395 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
396 if (conf->verify) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
397 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
398 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
399 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
400 "no ssl_client_certificate for ssl_client_verify"); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
401 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
402 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
403 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 &conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
408 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
410 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
411 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
412 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
413 &conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
414 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
415 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
416 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
417 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
418 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
419 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
420 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
421 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
422 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
423 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
424 |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
425 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
426 (const char *) conf->ciphers.data) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
427 == 0) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
428 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
429 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
430 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
431 &conf->ciphers); |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
432 return NGX_CONF_ERROR; |
| 539 | 433 } |
| 434 | |
| 563 | 435 if (conf->prefer_server_ciphers) { |
| 436 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
| 437 } | |
| 438 | |
|
6489
c256dfdd469d
SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6474
diff
changeset
|
439 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
440 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
|
6035
a84267233877
SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
441 #endif |
| 539 | 442 |
| 2044 | 443 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 444 return NGX_CONF_ERROR; | |
| 445 } | |
| 446 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
447 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
448 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
449 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
450 |
| 976 | 451 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 452 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 453 |
| 454 if (conf->shm_zone == NULL) { | |
| 455 conf->shm_zone = prev->shm_zone; | |
| 456 } | |
| 539 | 457 |
| 1136 | 458 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
| 976 | 459 conf->builtin_session_cache, |
| 460 conf->shm_zone, conf->session_timeout) | |
| 461 != NGX_OK) | |
| 462 { | |
| 463 return NGX_CONF_ERROR; | |
| 464 } | |
| 573 | 465 |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
466 ngx_conf_merge_value(conf->session_tickets, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
467 prev->session_tickets, 1); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
468 |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
469 #ifdef SSL_OP_NO_TICKET |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
470 if (!conf->session_tickets) { |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
471 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
472 } |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
473 #endif |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
474 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
475 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
476 prev->session_ticket_keys, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
477 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
478 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
479 != NGX_OK) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
480 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
481 return NGX_CONF_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
482 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
483 |
| 539 | 484 return NGX_CONF_OK; |
| 485 } | |
| 563 | 486 |
| 577 | 487 |
| 976 | 488 static char * |
| 2224 | 489 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 490 { | |
| 491 ngx_mail_ssl_conf_t *scf = conf; | |
| 492 | |
| 493 char *rv; | |
| 494 | |
| 495 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 496 | |
| 497 if (rv != NGX_CONF_OK) { | |
| 498 return rv; | |
| 499 } | |
| 500 | |
| 501 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 502 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 503 "\"starttls\" directive conflicts with \"ssl on\""); | |
| 504 return NGX_CONF_ERROR; | |
| 505 } | |
| 506 | |
| 507 scf->file = cf->conf_file->file.name.data; | |
| 508 scf->line = cf->conf_file->line; | |
| 509 | |
| 510 return NGX_CONF_OK; | |
| 511 } | |
| 512 | |
| 513 | |
| 514 static char * | |
| 515 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 516 { | |
| 517 ngx_mail_ssl_conf_t *scf = conf; | |
| 518 | |
| 519 char *rv; | |
| 520 | |
| 521 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 522 | |
| 523 if (rv != NGX_CONF_OK) { | |
| 524 return rv; | |
| 525 } | |
| 526 | |
| 527 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 528 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 529 "\"ssl\" directive conflicts with \"starttls\""); | |
| 530 return NGX_CONF_ERROR; | |
| 531 } | |
| 532 | |
| 533 scf->file = cf->conf_file->file.name.data; | |
| 534 scf->line = cf->conf_file->line; | |
| 535 | |
| 536 return NGX_CONF_OK; | |
| 537 } | |
| 538 | |
| 539 | |
| 540 static char * | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
541 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
542 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
543 ngx_mail_ssl_conf_t *scf = conf; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
544 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
545 ngx_str_t *value; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
547 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
548 return "is duplicate"; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
549 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
550 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
551 value = cf->args->elts; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
552 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
553 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
554 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
555 if (scf->passwords == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
556 return NGX_CONF_ERROR; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
557 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
558 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
559 return NGX_CONF_OK; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
560 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
561 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
562 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
563 static char * |
| 1136 | 564 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 565 { |
| 1136 | 566 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 567 |
| 568 size_t len; | |
| 569 ngx_str_t *value, name, size; | |
| 570 ngx_int_t n; | |
| 571 ngx_uint_t i, j; | |
| 572 | |
| 573 value = cf->args->elts; | |
| 574 | |
| 575 for (i = 1; i < cf->args->nelts; i++) { | |
| 576 | |
| 1778 | 577 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 578 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 579 continue; | |
| 580 } | |
| 581 | |
| 2032 | 582 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 583 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 584 continue; | |
| 585 } | |
| 586 | |
| 976 | 587 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 588 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 589 continue; | |
| 590 } | |
| 591 | |
| 592 if (value[i].len > sizeof("builtin:") - 1 | |
| 593 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 594 == 0) | |
| 595 { | |
| 596 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 597 value[i].len - (sizeof("builtin:") - 1)); | |
| 598 | |
| 599 if (n == NGX_ERROR) { | |
| 600 goto invalid; | |
| 601 } | |
| 602 | |
| 603 scf->builtin_session_cache = n; | |
| 604 | |
| 605 continue; | |
| 606 } | |
| 607 | |
| 608 if (value[i].len > sizeof("shared:") - 1 | |
| 609 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 610 == 0) | |
| 611 { | |
| 612 len = 0; | |
| 613 | |
| 614 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 615 if (value[i].data[j] == ':') { | |
| 616 break; | |
| 617 } | |
| 618 | |
| 619 len++; | |
| 620 } | |
| 621 | |
| 622 if (len == 0) { | |
| 623 goto invalid; | |
| 624 } | |
| 625 | |
| 626 name.len = len; | |
| 627 name.data = value[i].data + sizeof("shared:") - 1; | |
| 628 | |
| 629 size.len = value[i].len - j - 1; | |
| 630 size.data = name.data + len + 1; | |
| 631 | |
| 632 n = ngx_parse_size(&size); | |
| 633 | |
| 634 if (n == NGX_ERROR) { | |
| 635 goto invalid; | |
| 636 } | |
| 637 | |
| 638 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 639 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 640 "session cache \"%V\" is too small", | |
| 641 &value[i]); | |
| 642 | |
| 643 return NGX_CONF_ERROR; | |
| 644 } | |
| 645 | |
| 646 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 647 &ngx_mail_ssl_module); |
| 976 | 648 if (scf->shm_zone == NULL) { |
| 649 return NGX_CONF_ERROR; | |
| 650 } | |
| 651 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
652 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
653 |
| 976 | 654 continue; |
| 655 } | |
| 656 | |
| 657 goto invalid; | |
| 658 } | |
| 659 | |
| 660 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 661 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 662 } | |
| 663 | |
| 664 return NGX_CONF_OK; | |
| 665 | |
| 666 invalid: | |
| 667 | |
| 668 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 669 "invalid session cache \"%V\"", &value[i]); | |
| 670 | |
| 671 return NGX_CONF_ERROR; | |
| 672 } |