Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.c @ 6553:2014ed60f17f
SSL: support for multiple curves (ticket #885).
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported. This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.
The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used". For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used. The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).
As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | 51e1f047d15d |
children | 04d8d1f85649 |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 15 |
16 | |
17 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); | |
18 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
19 void *child); | |
20 | |
21 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
22 void *conf); | |
23 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
24 void *conf); | |
25 | |
26 | |
27 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
28 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
29 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
30 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
31 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
32 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
33 { ngx_null_string, 0 } | |
34 }; | |
35 | |
36 | |
37 static ngx_command_t ngx_stream_ssl_commands[] = { | |
38 | |
39 { ngx_string("ssl_handshake_timeout"), | |
40 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
41 ngx_conf_set_msec_slot, | |
42 NGX_STREAM_SRV_CONF_OFFSET, | |
43 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
44 NULL }, | |
45 | |
46 { ngx_string("ssl_certificate"), | |
47 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
48 ngx_conf_set_str_array_slot, |
6115 | 49 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
50 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 51 NULL }, |
52 | |
53 { ngx_string("ssl_certificate_key"), | |
54 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
55 ngx_conf_set_str_array_slot, |
6115 | 56 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
57 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 58 NULL }, |
59 | |
60 { ngx_string("ssl_password_file"), | |
61 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
62 ngx_stream_ssl_password_file, | |
63 NGX_STREAM_SRV_CONF_OFFSET, | |
64 0, | |
65 NULL }, | |
66 | |
67 { ngx_string("ssl_dhparam"), | |
68 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
69 ngx_conf_set_str_slot, | |
70 NGX_STREAM_SRV_CONF_OFFSET, | |
71 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
72 NULL }, | |
73 | |
74 { ngx_string("ssl_ecdh_curve"), | |
75 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
76 ngx_conf_set_str_slot, | |
77 NGX_STREAM_SRV_CONF_OFFSET, | |
78 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
79 NULL }, | |
80 | |
81 { ngx_string("ssl_protocols"), | |
82 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
83 ngx_conf_set_bitmask_slot, | |
84 NGX_STREAM_SRV_CONF_OFFSET, | |
85 offsetof(ngx_stream_ssl_conf_t, protocols), | |
86 &ngx_stream_ssl_protocols }, | |
87 | |
88 { ngx_string("ssl_ciphers"), | |
89 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
90 ngx_conf_set_str_slot, | |
91 NGX_STREAM_SRV_CONF_OFFSET, | |
92 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
93 NULL }, | |
94 | |
95 { ngx_string("ssl_prefer_server_ciphers"), | |
96 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
97 ngx_conf_set_flag_slot, | |
98 NGX_STREAM_SRV_CONF_OFFSET, | |
99 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
100 NULL }, | |
101 | |
102 { ngx_string("ssl_session_cache"), | |
103 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
104 ngx_stream_ssl_session_cache, | |
105 NGX_STREAM_SRV_CONF_OFFSET, | |
106 0, | |
107 NULL }, | |
108 | |
109 { ngx_string("ssl_session_tickets"), | |
110 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
111 ngx_conf_set_flag_slot, | |
112 NGX_STREAM_SRV_CONF_OFFSET, | |
113 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
114 NULL }, | |
115 | |
116 { ngx_string("ssl_session_ticket_key"), | |
117 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
118 ngx_conf_set_str_array_slot, | |
119 NGX_STREAM_SRV_CONF_OFFSET, | |
120 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
121 NULL }, | |
122 | |
123 { ngx_string("ssl_session_timeout"), | |
124 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
125 ngx_conf_set_sec_slot, | |
126 NGX_STREAM_SRV_CONF_OFFSET, | |
127 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
128 NULL }, | |
129 | |
130 ngx_null_command | |
131 }; | |
132 | |
133 | |
134 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
135 NULL, /* postconfiguration */ |
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
136 |
6115 | 137 NULL, /* create main configuration */ |
138 NULL, /* init main configuration */ | |
139 | |
140 ngx_stream_ssl_create_conf, /* create server configuration */ | |
141 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
142 }; | |
143 | |
144 | |
145 ngx_module_t ngx_stream_ssl_module = { | |
146 NGX_MODULE_V1, | |
147 &ngx_stream_ssl_module_ctx, /* module context */ | |
148 ngx_stream_ssl_commands, /* module directives */ | |
149 NGX_STREAM_MODULE, /* module type */ | |
150 NULL, /* init master */ | |
151 NULL, /* init module */ | |
152 NULL, /* init process */ | |
153 NULL, /* init thread */ | |
154 NULL, /* exit thread */ | |
155 NULL, /* exit process */ | |
156 NULL, /* exit master */ | |
157 NGX_MODULE_V1_PADDING | |
158 }; | |
159 | |
160 | |
161 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); | |
162 | |
163 | |
164 static void * | |
165 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
166 { | |
167 ngx_stream_ssl_conf_t *scf; | |
168 | |
169 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
170 if (scf == NULL) { | |
171 return NULL; | |
172 } | |
173 | |
174 /* | |
175 * set by ngx_pcalloc(): | |
176 * | |
177 * scf->protocols = 0; | |
178 * scf->dhparam = { 0, NULL }; | |
179 * scf->ecdh_curve = { 0, NULL }; | |
180 * scf->ciphers = { 0, NULL }; | |
181 * scf->shm_zone = NULL; | |
182 */ | |
183 | |
184 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
185 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
186 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 187 scf->passwords = NGX_CONF_UNSET_PTR; |
188 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
189 scf->builtin_session_cache = NGX_CONF_UNSET; | |
190 scf->session_timeout = NGX_CONF_UNSET; | |
191 scf->session_tickets = NGX_CONF_UNSET; | |
192 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
193 | |
194 return scf; | |
195 } | |
196 | |
197 | |
198 static char * | |
199 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
200 { | |
201 ngx_stream_ssl_conf_t *prev = parent; | |
202 ngx_stream_ssl_conf_t *conf = child; | |
203 | |
204 ngx_pool_cleanup_t *cln; | |
205 | |
206 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
207 prev->handshake_timeout, 60000); | |
208 | |
209 ngx_conf_merge_value(conf->session_timeout, | |
210 prev->session_timeout, 300); | |
211 | |
212 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
213 prev->prefer_server_ciphers, 0); | |
214 | |
215 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
216 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 217 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
218 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
219 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
220 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
221 NULL); |
6115 | 222 |
223 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
224 | |
225 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
226 | |
227 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | |
228 NGX_DEFAULT_ECDH_CURVE); | |
229 | |
230 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
231 | |
232 | |
233 conf->ssl.log = cf->log; | |
234 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
235 if (conf->certificates == NULL) { |
6115 | 236 return NGX_CONF_OK; |
237 } | |
238 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
239 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
240 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
241 { |
6115 | 242 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
243 "no \"ssl_certificate_key\" is defined " | |
244 "for certificate \"%V\"", | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
245 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
246 + conf->certificates->nelts - 1); |
6115 | 247 return NGX_CONF_ERROR; |
248 } | |
249 | |
250 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
251 return NGX_CONF_ERROR; | |
252 } | |
253 | |
254 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
255 if (cln == NULL) { | |
256 return NGX_CONF_ERROR; | |
257 } | |
258 | |
259 cln->handler = ngx_ssl_cleanup_ctx; | |
260 cln->data = &conf->ssl; | |
261 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
262 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
263 conf->certificate_keys, conf->passwords) |
6115 | 264 != NGX_OK) |
265 { | |
266 return NGX_CONF_ERROR; | |
267 } | |
268 | |
269 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, | |
270 (const char *) conf->ciphers.data) | |
271 == 0) | |
272 { | |
273 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | |
274 "SSL_CTX_set_cipher_list(\"%V\") failed", | |
275 &conf->ciphers); | |
276 return NGX_CONF_ERROR; | |
277 } | |
278 | |
279 if (conf->prefer_server_ciphers) { | |
280 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
281 } | |
282 | |
6489
c256dfdd469d
SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6199
diff
changeset
|
283 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) |
6115 | 284 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
6199
4b703a5a4631
Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
6174
diff
changeset
|
285 #endif |
6115 | 286 |
287 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | |
288 return NGX_CONF_ERROR; | |
289 } | |
290 | |
291 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
292 return NGX_CONF_ERROR; | |
293 } | |
294 | |
295 ngx_conf_merge_value(conf->builtin_session_cache, | |
296 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
297 | |
298 if (conf->shm_zone == NULL) { | |
299 conf->shm_zone = prev->shm_zone; | |
300 } | |
301 | |
302 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
303 conf->builtin_session_cache, | |
304 conf->shm_zone, conf->session_timeout) | |
305 != NGX_OK) | |
306 { | |
307 return NGX_CONF_ERROR; | |
308 } | |
309 | |
310 ngx_conf_merge_value(conf->session_tickets, | |
311 prev->session_tickets, 1); | |
312 | |
313 #ifdef SSL_OP_NO_TICKET | |
314 if (!conf->session_tickets) { | |
315 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
316 } | |
317 #endif | |
318 | |
319 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
320 prev->session_ticket_keys, NULL); | |
321 | |
322 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
323 != NGX_OK) | |
324 { | |
325 return NGX_CONF_ERROR; | |
326 } | |
327 | |
328 return NGX_CONF_OK; | |
329 } | |
330 | |
331 | |
332 static char * | |
333 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
334 { | |
335 ngx_stream_ssl_conf_t *scf = conf; | |
336 | |
337 ngx_str_t *value; | |
338 | |
339 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
340 return "is duplicate"; | |
341 } | |
342 | |
343 value = cf->args->elts; | |
344 | |
345 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
346 | |
347 if (scf->passwords == NULL) { | |
348 return NGX_CONF_ERROR; | |
349 } | |
350 | |
351 return NGX_CONF_OK; | |
352 } | |
353 | |
354 | |
355 static char * | |
356 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
357 { | |
358 ngx_stream_ssl_conf_t *scf = conf; | |
359 | |
360 size_t len; | |
361 ngx_str_t *value, name, size; | |
362 ngx_int_t n; | |
363 ngx_uint_t i, j; | |
364 | |
365 value = cf->args->elts; | |
366 | |
367 for (i = 1; i < cf->args->nelts; i++) { | |
368 | |
369 if (ngx_strcmp(value[i].data, "off") == 0) { | |
370 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
371 continue; | |
372 } | |
373 | |
374 if (ngx_strcmp(value[i].data, "none") == 0) { | |
375 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
376 continue; | |
377 } | |
378 | |
379 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
380 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
381 continue; | |
382 } | |
383 | |
384 if (value[i].len > sizeof("builtin:") - 1 | |
385 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
386 == 0) | |
387 { | |
388 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
389 value[i].len - (sizeof("builtin:") - 1)); | |
390 | |
391 if (n == NGX_ERROR) { | |
392 goto invalid; | |
393 } | |
394 | |
395 scf->builtin_session_cache = n; | |
396 | |
397 continue; | |
398 } | |
399 | |
400 if (value[i].len > sizeof("shared:") - 1 | |
401 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
402 == 0) | |
403 { | |
404 len = 0; | |
405 | |
406 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
407 if (value[i].data[j] == ':') { | |
408 break; | |
409 } | |
410 | |
411 len++; | |
412 } | |
413 | |
414 if (len == 0) { | |
415 goto invalid; | |
416 } | |
417 | |
418 name.len = len; | |
419 name.data = value[i].data + sizeof("shared:") - 1; | |
420 | |
421 size.len = value[i].len - j - 1; | |
422 size.data = name.data + len + 1; | |
423 | |
424 n = ngx_parse_size(&size); | |
425 | |
426 if (n == NGX_ERROR) { | |
427 goto invalid; | |
428 } | |
429 | |
430 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
431 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
432 "session cache \"%V\" is too small", | |
433 &value[i]); | |
434 | |
435 return NGX_CONF_ERROR; | |
436 } | |
437 | |
438 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
439 &ngx_stream_ssl_module); | |
440 if (scf->shm_zone == NULL) { | |
441 return NGX_CONF_ERROR; | |
442 } | |
443 | |
444 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
445 | |
446 continue; | |
447 } | |
448 | |
449 goto invalid; | |
450 } | |
451 | |
452 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
453 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
454 } | |
455 | |
456 return NGX_CONF_OK; | |
457 | |
458 invalid: | |
459 | |
460 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
461 "invalid session cache \"%V\"", &value[i]); | |
462 | |
463 return NGX_CONF_ERROR; | |
464 } |