Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.c @ 7973:3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
The variable contains a negotiated curve used for the handshake key
exchange process. Known curves are listed by their names, unknown
ones are shown in hex.
Note that for resumed sessions in TLSv1.2 and older protocols,
$ssl_curve contains the curve used during the initial handshake,
while in TLSv1.3 it contains the curve used during the session
resumption (see the SSL_get_negotiated_group manual page for
details).
The variable is only meaningful when using OpenSSL 3.0 and above.
With older versions the variable is empty.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 01 Nov 2021 18:09:34 +0300 |
parents | 46a02ed7c966 |
children | e32b48848add 5c86189a1c1b |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
26 static int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, |
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
27 void *arg); |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
28 #endif |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
29 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
30 static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
31 const unsigned char **out, unsigned char *outlen, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
32 const unsigned char *in, unsigned int inlen, void *arg); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
33 #endif |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
34 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
35 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
36 #endif |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
37 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
38 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
39 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
40 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
41 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
42 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 43 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
44 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
45 void *child); | |
46 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
47 static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
48 ngx_stream_ssl_conf_t *conf); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
49 |
6115 | 50 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
51 void *conf); | |
52 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
53 void *conf); | |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
54 static char *ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
55 void *conf); |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
56 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
57 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
58 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
59 |
6693 | 60 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 61 |
62 | |
63 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
64 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
65 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
66 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
67 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
68 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
69 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
6115 | 70 { ngx_null_string, 0 } |
71 }; | |
72 | |
73 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
74 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
75 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
76 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
77 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
78 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
79 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
80 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
81 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
82 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
83 static ngx_conf_post_t ngx_stream_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
84 { ngx_stream_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
85 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
86 |
6115 | 87 static ngx_command_t ngx_stream_ssl_commands[] = { |
88 | |
89 { ngx_string("ssl_handshake_timeout"), | |
90 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
91 ngx_conf_set_msec_slot, | |
92 NGX_STREAM_SRV_CONF_OFFSET, | |
93 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
94 NULL }, | |
95 | |
96 { ngx_string("ssl_certificate"), | |
97 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
98 ngx_conf_set_str_array_slot, |
6115 | 99 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
100 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 101 NULL }, |
102 | |
103 { ngx_string("ssl_certificate_key"), | |
104 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
105 ngx_conf_set_str_array_slot, |
6115 | 106 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
107 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 108 NULL }, |
109 | |
110 { ngx_string("ssl_password_file"), | |
111 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
112 ngx_stream_ssl_password_file, | |
113 NGX_STREAM_SRV_CONF_OFFSET, | |
114 0, | |
115 NULL }, | |
116 | |
117 { ngx_string("ssl_dhparam"), | |
118 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
119 ngx_conf_set_str_slot, | |
120 NGX_STREAM_SRV_CONF_OFFSET, | |
121 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
122 NULL }, | |
123 | |
124 { ngx_string("ssl_ecdh_curve"), | |
125 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
126 ngx_conf_set_str_slot, | |
127 NGX_STREAM_SRV_CONF_OFFSET, | |
128 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
129 NULL }, | |
130 | |
131 { ngx_string("ssl_protocols"), | |
132 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
133 ngx_conf_set_bitmask_slot, | |
134 NGX_STREAM_SRV_CONF_OFFSET, | |
135 offsetof(ngx_stream_ssl_conf_t, protocols), | |
136 &ngx_stream_ssl_protocols }, | |
137 | |
138 { ngx_string("ssl_ciphers"), | |
139 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
140 ngx_conf_set_str_slot, | |
141 NGX_STREAM_SRV_CONF_OFFSET, | |
142 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
143 NULL }, | |
144 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
148 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
149 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
150 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
151 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
152 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
153 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
154 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
155 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
156 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
157 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
158 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
159 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
160 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
161 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
162 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
163 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
164 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
165 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
166 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
167 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
168 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
169 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
170 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
171 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
172 |
6115 | 173 { ngx_string("ssl_prefer_server_ciphers"), |
174 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
175 ngx_conf_set_flag_slot, | |
176 NGX_STREAM_SRV_CONF_OFFSET, | |
177 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
178 NULL }, | |
179 | |
180 { ngx_string("ssl_session_cache"), | |
181 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
182 ngx_stream_ssl_session_cache, | |
183 NGX_STREAM_SRV_CONF_OFFSET, | |
184 0, | |
185 NULL }, | |
186 | |
187 { ngx_string("ssl_session_tickets"), | |
188 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
189 ngx_conf_set_flag_slot, | |
190 NGX_STREAM_SRV_CONF_OFFSET, | |
191 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
192 NULL }, | |
193 | |
194 { ngx_string("ssl_session_ticket_key"), | |
195 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
196 ngx_conf_set_str_array_slot, | |
197 NGX_STREAM_SRV_CONF_OFFSET, | |
198 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
199 NULL }, | |
200 | |
201 { ngx_string("ssl_session_timeout"), | |
202 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
203 ngx_conf_set_sec_slot, | |
204 NGX_STREAM_SRV_CONF_OFFSET, | |
205 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
206 NULL }, | |
207 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
208 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
209 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
210 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
211 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
212 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
213 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
214 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
215 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
216 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
217 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
218 NGX_STREAM_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
219 offsetof(ngx_stream_ssl_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
220 &ngx_stream_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
221 |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
222 { ngx_string("ssl_alpn"), |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
223 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
224 ngx_stream_ssl_alpn, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
225 NGX_STREAM_SRV_CONF_OFFSET, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
226 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
227 NULL }, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
228 |
6115 | 229 ngx_null_command |
230 }; | |
231 | |
232 | |
233 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
234 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 235 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
236 |
6115 | 237 NULL, /* create main configuration */ |
238 NULL, /* init main configuration */ | |
239 | |
240 ngx_stream_ssl_create_conf, /* create server configuration */ | |
241 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
242 }; | |
243 | |
244 | |
245 ngx_module_t ngx_stream_ssl_module = { | |
246 NGX_MODULE_V1, | |
247 &ngx_stream_ssl_module_ctx, /* module context */ | |
248 ngx_stream_ssl_commands, /* module directives */ | |
249 NGX_STREAM_MODULE, /* module type */ | |
250 NULL, /* init master */ | |
251 NULL, /* init module */ | |
252 NULL, /* init process */ | |
253 NULL, /* init thread */ | |
254 NULL, /* exit thread */ | |
255 NULL, /* exit process */ | |
256 NULL, /* exit master */ | |
257 NGX_MODULE_V1_PADDING | |
258 }; | |
259 | |
260 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
261 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
262 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
263 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
264 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
265 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
266 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
267 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
268 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
269 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
270 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
271 |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7940
diff
changeset
|
272 { ngx_string("ssl_curve"), NULL, ngx_stream_ssl_variable, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7940
diff
changeset
|
273 (uintptr_t) ngx_ssl_get_curve, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7940
diff
changeset
|
274 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
275 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
276 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
277 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
278 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
279 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
280 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
281 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
282 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
283 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
284 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
285 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
286 |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
287 { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
288 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
289 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
290 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
291 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
292 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
293 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
294 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
295 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
296 |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
297 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
298 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
299 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
300 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
301 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
302 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
303 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
304 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
305 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
306 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
307 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
308 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
309 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
310 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
311 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
312 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
313 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
314 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
315 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
316 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
317 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
318 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
319 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
320 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
322 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
324 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
325 ngx_stream_null_variable |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
326 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
327 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
328 |
6115 | 329 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
330 | |
331 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
332 static ngx_int_t |
6693 | 333 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
334 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
336 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
337 ngx_int_t rv; |
6693 | 338 ngx_connection_t *c; |
339 ngx_stream_ssl_conf_t *sslcf; | |
340 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
341 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
342 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
343 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
344 |
6693 | 345 c = s->connection; |
346 | |
347 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
348 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
349 if (c->ssl == NULL) { |
6693 | 350 c->log->action = "SSL handshaking"; |
351 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
352 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
353 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
354 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
355 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
356 } |
6693 | 357 } |
358 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
359 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
360 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
361 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
362 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
363 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
364 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
365 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
366 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
367 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
368 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
369 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
370 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
371 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
372 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
373 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
374 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
375 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
376 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
377 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
378 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
379 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
380 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
381 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
382 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
383 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
384 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
385 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
386 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
387 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
388 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
389 |
6693 | 390 return NGX_OK; |
391 } | |
392 | |
393 | |
394 static ngx_int_t | |
395 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
396 { | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
397 ngx_int_t rc; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
398 ngx_stream_session_t *s; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
399 ngx_stream_ssl_conf_t *sslcf; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
400 ngx_stream_core_srv_conf_t *cscf; |
6693 | 401 |
402 s = c->data; | |
403 | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
404 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
405 |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
406 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
407 return NGX_ERROR; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
408 } |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
409 |
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
410 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
6693 | 411 return NGX_ERROR; |
412 } | |
413 | |
414 rc = ngx_ssl_handshake(c); | |
415 | |
416 if (rc == NGX_ERROR) { | |
417 return NGX_ERROR; | |
418 } | |
419 | |
420 if (rc == NGX_AGAIN) { | |
421 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
422 | |
423 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
424 | |
425 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
426 | |
427 return NGX_AGAIN; | |
428 } | |
429 | |
430 /* rc == NGX_OK */ | |
431 | |
432 return NGX_OK; | |
433 } | |
434 | |
435 | |
436 static void | |
437 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
438 { | |
439 ngx_stream_session_t *s; | |
440 | |
441 s = c->data; | |
442 | |
443 if (!c->ssl->handshaked) { | |
444 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
445 return; | |
446 } | |
447 | |
448 if (c->read->timer_set) { | |
449 ngx_del_timer(c->read); | |
450 } | |
451 | |
452 ngx_stream_core_run_phases(s); | |
453 } | |
454 | |
455 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
456 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
457 |
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
458 static int |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
459 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
460 { |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
461 return SSL_TLSEXT_ERR_OK; |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
462 } |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
463 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
464 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
465 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
466 |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
467 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
468 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
469 static int |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
470 ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
471 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
472 void *arg) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
473 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
474 ngx_str_t *alpn; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
475 #if (NGX_DEBUG) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
476 unsigned int i; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
477 ngx_connection_t *c; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
478 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
479 c = ngx_ssl_get_connection(ssl_conn); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
480 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
481 for (i = 0; i < inlen; i += in[i] + 1) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
482 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
483 "SSL ALPN supported by client: %*s", |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
484 (size_t) in[i], &in[i + 1]); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
485 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
486 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
487 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
488 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
489 alpn = arg; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
490 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
491 if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
492 alpn->len, in, inlen) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
493 != OPENSSL_NPN_NEGOTIATED) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
494 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
495 return SSL_TLSEXT_ERR_ALERT_FATAL; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
496 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
497 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
498 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
499 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
500 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
501 return SSL_TLSEXT_ERR_OK; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
502 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
503 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
504 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
505 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
506 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
507 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
508 |
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
509 static int |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
510 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
511 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
512 ngx_str_t cert, key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
513 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
514 ngx_connection_t *c; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
515 ngx_stream_session_t *s; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
516 ngx_stream_ssl_conf_t *sslcf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
517 ngx_stream_complex_value_t *certs, *keys; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
518 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
519 c = ngx_ssl_get_connection(ssl_conn); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
520 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
521 if (c->ssl->handshaked) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
522 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
523 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
524 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
525 s = c->data; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
526 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
527 sslcf = arg; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
528 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
529 nelts = sslcf->certificate_values->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
530 certs = sslcf->certificate_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
531 keys = sslcf->certificate_key_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
532 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
533 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
534 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
535 if (ngx_stream_complex_value(s, &certs[i], &cert) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
536 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
537 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
538 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
539 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
540 "ssl cert: \"%s\"", cert.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
541 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
542 if (ngx_stream_complex_value(s, &keys[i], &key) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
543 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
544 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
545 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
546 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
547 "ssl key: \"%s\"", key.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
548 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
549 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
550 sslcf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
551 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
552 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
553 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
554 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
555 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
556 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
557 return 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
558 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
559 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
560 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
561 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
562 |
6693 | 563 static ngx_int_t |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
564 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
565 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
566 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
567 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
568 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
569 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
570 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
571 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
572 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
573 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
574 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
575 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
576 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
577 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
578 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
579 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
580 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
581 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
582 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
583 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
584 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
585 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
586 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
587 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
588 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
589 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
590 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
591 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
592 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
593 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
594 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
595 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
596 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
597 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
598 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
599 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
600 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
601 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
602 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
603 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
604 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
605 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
606 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
607 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
608 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
609 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
610 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
611 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
612 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
613 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
614 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
615 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
616 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
617 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
618 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
619 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
620 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
621 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
622 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
623 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
624 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
625 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
626 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
627 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
628 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
629 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
630 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
631 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
632 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
633 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
634 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
635 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
636 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
637 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
638 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
639 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
640 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
641 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
642 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
643 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
644 |
6115 | 645 static void * |
646 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
647 { | |
648 ngx_stream_ssl_conf_t *scf; | |
649 | |
650 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
651 if (scf == NULL) { | |
652 return NULL; | |
653 } | |
654 | |
655 /* | |
656 * set by ngx_pcalloc(): | |
657 * | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
658 * scf->listen = 0; |
6115 | 659 * scf->protocols = 0; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
660 * scf->certificate_values = NULL; |
6115 | 661 * scf->dhparam = { 0, NULL }; |
662 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
663 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
664 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
665 * scf->crl = { 0, NULL }; |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
666 * scf->alpn = { 0, NULL }; |
6115 | 667 * scf->ciphers = { 0, NULL }; |
668 * scf->shm_zone = NULL; | |
669 */ | |
670 | |
671 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
672 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
673 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 674 scf->passwords = NGX_CONF_UNSET_PTR; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
675 scf->conf_commands = NGX_CONF_UNSET_PTR; |
6115 | 676 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
677 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
678 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 679 scf->builtin_session_cache = NGX_CONF_UNSET; |
680 scf->session_timeout = NGX_CONF_UNSET; | |
681 scf->session_tickets = NGX_CONF_UNSET; | |
682 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
683 | |
684 return scf; | |
685 } | |
686 | |
687 | |
688 static char * | |
689 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
690 { | |
691 ngx_stream_ssl_conf_t *prev = parent; | |
692 ngx_stream_ssl_conf_t *conf = child; | |
693 | |
694 ngx_pool_cleanup_t *cln; | |
695 | |
696 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
697 prev->handshake_timeout, 60000); | |
698 | |
699 ngx_conf_merge_value(conf->session_timeout, | |
700 prev->session_timeout, 300); | |
701 | |
702 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
703 prev->prefer_server_ciphers, 0); | |
704 | |
705 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
706 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 707 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
708 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
709 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
710 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
711 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
712 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
713 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
714 NULL); |
6115 | 715 |
716 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
717 | |
718 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
719 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
720 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
721 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
722 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
723 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
724 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
725 ngx_conf_merge_str_value(conf->alpn, prev->alpn, ""); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
726 |
6115 | 727 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
728 NGX_DEFAULT_ECDH_CURVE); | |
729 | |
730 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
731 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
732 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
733 |
6115 | 734 |
735 conf->ssl.log = cf->log; | |
736 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
737 if (!conf->listen) { |
6115 | 738 return NGX_CONF_OK; |
739 } | |
740 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
741 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
742 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
743 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
744 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
745 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
746 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
747 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
748 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
749 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
750 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
751 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
752 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
753 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
754 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
755 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
756 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
757 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
6115 | 758 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
759 "no \"ssl_certificate_key\" is defined " | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
760 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
761 "the \"listen ... ssl\" directive in %s:%ui", |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
762 ((ngx_str_t *) conf->certificates->elts) |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
763 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
764 conf->file, conf->line); |
6115 | 765 return NGX_CONF_ERROR; |
766 } | |
767 | |
768 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
769 return NGX_CONF_ERROR; | |
770 } | |
771 | |
772 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
773 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7471
diff
changeset
|
774 ngx_ssl_cleanup_ctx(&conf->ssl); |
6115 | 775 return NGX_CONF_ERROR; |
776 } | |
777 | |
778 cln->handler = ngx_ssl_cleanup_ctx; | |
779 cln->data = &conf->ssl; | |
780 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
781 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
782 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
783 ngx_stream_ssl_servername); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
784 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
785 |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
786 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
787 if (conf->alpn.len) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
788 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
789 &conf->alpn); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
790 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
791 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
792 |
7904
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
793 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
794 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
795 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
796 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
797 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
798 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
799 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
800 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
6115 | 801 return NGX_CONF_ERROR; |
802 } | |
803 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
804 if (conf->certificate_values) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
805 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
806 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
807 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
808 /* install callback to lookup certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
809 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
810 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf); |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
811 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
812 #else |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
813 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
814 "variables in " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
815 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
816 "directives are not supported on this platform"); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
817 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
818 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
819 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
820 } else { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
821 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
822 /* configure certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
823 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
824 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
825 conf->certificate_keys, conf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
826 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
827 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
828 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
829 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
830 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
831 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
832 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
833 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
834 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
835 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
836 "no ssl_client_certificate for ssl_verify_client"); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
837 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
838 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
839 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
840 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
841 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
842 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
843 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
844 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
845 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
846 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
847 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
848 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
849 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
850 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
851 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
852 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
853 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
854 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
855 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
856 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
857 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
858 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
859 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
860 |
6115 | 861 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
862 return NGX_CONF_ERROR; | |
863 } | |
864 | |
865 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
866 return NGX_CONF_ERROR; | |
867 } | |
868 | |
869 ngx_conf_merge_value(conf->builtin_session_cache, | |
870 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
871 | |
872 if (conf->shm_zone == NULL) { | |
873 conf->shm_zone = prev->shm_zone; | |
874 } | |
875 | |
876 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7464
diff
changeset
|
877 conf->certificates, conf->builtin_session_cache, |
6115 | 878 conf->shm_zone, conf->session_timeout) |
879 != NGX_OK) | |
880 { | |
881 return NGX_CONF_ERROR; | |
882 } | |
883 | |
884 ngx_conf_merge_value(conf->session_tickets, | |
885 prev->session_tickets, 1); | |
886 | |
887 #ifdef SSL_OP_NO_TICKET | |
888 if (!conf->session_tickets) { | |
889 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
890 } | |
891 #endif | |
892 | |
893 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
894 prev->session_ticket_keys, NULL); | |
895 | |
896 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
897 != NGX_OK) | |
898 { | |
899 return NGX_CONF_ERROR; | |
900 } | |
901 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
902 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
903 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
904 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
905 |
6115 | 906 return NGX_CONF_OK; |
907 } | |
908 | |
909 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
910 static ngx_int_t |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
911 ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
912 ngx_stream_ssl_conf_t *conf) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
913 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
914 ngx_str_t *cert, *key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
915 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
916 ngx_stream_complex_value_t *cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
917 ngx_stream_compile_complex_value_t ccv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
918 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
919 cert = conf->certificates->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
920 key = conf->certificate_keys->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
921 nelts = conf->certificates->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
922 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
923 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
924 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
925 if (ngx_stream_script_variables_count(&cert[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
926 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
927 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
928 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
929 if (ngx_stream_script_variables_count(&key[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
930 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
931 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
932 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
933 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
934 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
935 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
936 found: |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
937 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
938 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
939 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
940 if (conf->certificate_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
941 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
942 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
943 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
944 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
945 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
946 if (conf->certificate_key_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
947 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
948 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
949 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
950 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
951 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
952 cv = ngx_array_push(conf->certificate_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
953 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
954 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
955 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
956 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
957 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
958 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
959 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
960 ccv.value = &cert[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
961 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
962 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
963 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
964 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
965 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
966 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
967 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
968 cv = ngx_array_push(conf->certificate_key_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
969 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
970 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
971 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
972 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
973 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
974 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
975 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
976 ccv.value = &key[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
977 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
978 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
979 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
980 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
981 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
982 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
983 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
984 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
985 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
986 if (conf->passwords == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
987 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
988 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
989 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
990 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
991 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
992 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
993 |
6115 | 994 static char * |
995 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
996 { | |
997 ngx_stream_ssl_conf_t *scf = conf; | |
998 | |
999 ngx_str_t *value; | |
1000 | |
1001 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
1002 return "is duplicate"; | |
1003 } | |
1004 | |
1005 value = cf->args->elts; | |
1006 | |
1007 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
1008 | |
1009 if (scf->passwords == NULL) { | |
1010 return NGX_CONF_ERROR; | |
1011 } | |
1012 | |
1013 return NGX_CONF_OK; | |
1014 } | |
1015 | |
1016 | |
1017 static char * | |
1018 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
1019 { | |
1020 ngx_stream_ssl_conf_t *scf = conf; | |
1021 | |
1022 size_t len; | |
1023 ngx_str_t *value, name, size; | |
1024 ngx_int_t n; | |
1025 ngx_uint_t i, j; | |
1026 | |
1027 value = cf->args->elts; | |
1028 | |
1029 for (i = 1; i < cf->args->nelts; i++) { | |
1030 | |
1031 if (ngx_strcmp(value[i].data, "off") == 0) { | |
1032 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
1033 continue; | |
1034 } | |
1035 | |
1036 if (ngx_strcmp(value[i].data, "none") == 0) { | |
1037 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
1038 continue; | |
1039 } | |
1040 | |
1041 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
1042 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
1043 continue; | |
1044 } | |
1045 | |
1046 if (value[i].len > sizeof("builtin:") - 1 | |
1047 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
1048 == 0) | |
1049 { | |
1050 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
1051 value[i].len - (sizeof("builtin:") - 1)); | |
1052 | |
1053 if (n == NGX_ERROR) { | |
1054 goto invalid; | |
1055 } | |
1056 | |
1057 scf->builtin_session_cache = n; | |
1058 | |
1059 continue; | |
1060 } | |
1061 | |
1062 if (value[i].len > sizeof("shared:") - 1 | |
1063 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
1064 == 0) | |
1065 { | |
1066 len = 0; | |
1067 | |
1068 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
1069 if (value[i].data[j] == ':') { | |
1070 break; | |
1071 } | |
1072 | |
1073 len++; | |
1074 } | |
1075 | |
1076 if (len == 0) { | |
1077 goto invalid; | |
1078 } | |
1079 | |
1080 name.len = len; | |
1081 name.data = value[i].data + sizeof("shared:") - 1; | |
1082 | |
1083 size.len = value[i].len - j - 1; | |
1084 size.data = name.data + len + 1; | |
1085 | |
1086 n = ngx_parse_size(&size); | |
1087 | |
1088 if (n == NGX_ERROR) { | |
1089 goto invalid; | |
1090 } | |
1091 | |
1092 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1093 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1094 "session cache \"%V\" is too small", | |
1095 &value[i]); | |
1096 | |
1097 return NGX_CONF_ERROR; | |
1098 } | |
1099 | |
1100 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1101 &ngx_stream_ssl_module); | |
1102 if (scf->shm_zone == NULL) { | |
1103 return NGX_CONF_ERROR; | |
1104 } | |
1105 | |
1106 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
1107 | |
1108 continue; | |
1109 } | |
1110 | |
1111 goto invalid; | |
1112 } | |
1113 | |
1114 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
1115 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
1116 } | |
1117 | |
1118 return NGX_CONF_OK; | |
1119 | |
1120 invalid: | |
1121 | |
1122 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1123 "invalid session cache \"%V\"", &value[i]); | |
1124 | |
1125 return NGX_CONF_ERROR; | |
1126 } | |
6693 | 1127 |
1128 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1129 static char * |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1130 ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1131 { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1132 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1133 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1134 ngx_stream_ssl_conf_t *scf = conf; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1135 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1136 u_char *p; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1137 size_t len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1138 ngx_str_t *value; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1139 ngx_uint_t i; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1140 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1141 if (scf->alpn.len) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1142 return "is duplicate"; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1143 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1144 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1145 value = cf->args->elts; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1146 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1147 len = 0; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1148 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1149 for (i = 1; i < cf->args->nelts; i++) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1150 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1151 if (value[i].len > 255) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1152 return "protocol too long"; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1153 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1154 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1155 len += value[i].len + 1; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1156 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1157 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1158 scf->alpn.data = ngx_pnalloc(cf->pool, len); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1159 if (scf->alpn.data == NULL) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1160 return NGX_CONF_ERROR; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1161 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1162 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1163 p = scf->alpn.data; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1164 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1165 for (i = 1; i < cf->args->nelts; i++) { |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1166 *p++ = value[i].len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1167 p = ngx_cpymem(p, value[i].data, value[i].len); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1168 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1169 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1170 scf->alpn.len = len; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1171 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1172 return NGX_CONF_OK; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1173 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1174 #else |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1175 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1176 "the \"ssl_alpn\" directive requires OpenSSL " |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1177 "with ALPN support"); |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1178 return NGX_CONF_ERROR; |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1179 #endif |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1180 } |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1181 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1182 |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
1183 static char * |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1184 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1185 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1186 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1187 return "is not supported on this platform"; |
7787
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1188 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1189 return NGX_CONF_OK; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1190 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1191 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1192 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1193 |
6693 | 1194 static ngx_int_t |
1195 ngx_stream_ssl_init(ngx_conf_t *cf) | |
1196 { | |
1197 ngx_stream_handler_pt *h; | |
1198 ngx_stream_core_main_conf_t *cmcf; | |
1199 | |
1200 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
1201 | |
1202 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
1203 if (h == NULL) { | |
1204 return NGX_ERROR; | |
1205 } | |
1206 | |
1207 *h = ngx_stream_ssl_handler; | |
1208 | |
1209 return NGX_OK; | |
1210 } |