Mercurial > hg > nginx
annotate src/mail/ngx_mail_ssl_module.c @ 7729:3bff3f397c05
SSL: ssl_conf_command directive.
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later. Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):
ssl_conf_command Options PrioritizeChaCha;
It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 22 Oct 2020 18:00:22 +0300 |
| parents | ef7ee19776db |
| children | 7ce28b4cc57e |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
| 1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 27 void *conf); |
| 539 | 28 |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
29 static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
30 void *data); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
31 |
| 539 | 32 |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
33 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 34 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 35 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 36 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 37 { ngx_null_string, 0 } |
| 38 }; | |
| 39 | |
| 40 | |
| 41 | |
| 1136 | 42 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
|
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6699
diff
changeset
|
48 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
| 547 | 49 { ngx_null_string, 0 } |
| 50 }; | |
| 51 | |
| 52 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_string("off"), 0 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 { ngx_string("on"), 1 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 { ngx_string("optional"), 2 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 { ngx_string("optional_no_ca"), 3 }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
58 { ngx_null_string, 0 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
59 }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
60 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
61 |
|
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
62 static ngx_conf_deprecated_t ngx_mail_ssl_deprecated = { |
|
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
63 ngx_conf_deprecated, "ssl", "listen ... ssl" |
|
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
64 }; |
|
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
65 |
|
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
66 |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
67 static ngx_conf_post_t ngx_mail_ssl_conf_command_post = |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
68 { ngx_mail_ssl_conf_command_check }; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
69 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
70 |
| 1136 | 71 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 72 |
| 73 { ngx_string("ssl"), | |
| 1136 | 74 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 75 ngx_mail_ssl_enable, |
| 1136 | 76 NGX_MAIL_SRV_CONF_OFFSET, |
| 77 offsetof(ngx_mail_ssl_conf_t, enable), | |
|
7270
46c0c7ef4913
SSL: deprecated the "ssl" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
7269
diff
changeset
|
78 &ngx_mail_ssl_deprecated }, |
| 539 | 79 |
| 583 | 80 { ngx_string("starttls"), |
| 1136 | 81 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 82 ngx_mail_ssl_starttls, |
| 1136 | 83 NGX_MAIL_SRV_CONF_OFFSET, |
| 84 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
85 ngx_mail_starttls_state }, |
| 583 | 86 |
| 539 | 87 { ngx_string("ssl_certificate"), |
| 1136 | 88 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
89 ngx_conf_set_str_array_slot, |
| 1136 | 90 NGX_MAIL_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
91 offsetof(ngx_mail_ssl_conf_t, certificates), |
| 539 | 92 NULL }, |
| 93 | |
| 94 { ngx_string("ssl_certificate_key"), | |
| 1136 | 95 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
96 ngx_conf_set_str_array_slot, |
| 1136 | 97 NGX_MAIL_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
98 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
| 539 | 99 NULL }, |
| 100 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
101 { ngx_string("ssl_password_file"), |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
102 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
103 ngx_mail_ssl_password_file, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
104 NGX_MAIL_SRV_CONF_OFFSET, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
105 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
106 NULL }, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
107 |
| 2044 | 108 { ngx_string("ssl_dhparam"), |
| 109 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 110 ngx_conf_set_str_slot, | |
| 111 NGX_MAIL_SRV_CONF_OFFSET, | |
| 112 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 113 NULL }, | |
| 114 | |
| 3960 | 115 { ngx_string("ssl_ecdh_curve"), |
| 116 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 117 ngx_conf_set_str_slot, | |
| 118 NGX_MAIL_SRV_CONF_OFFSET, | |
| 119 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 120 NULL }, | |
| 121 | |
| 547 | 122 { ngx_string("ssl_protocols"), |
| 1136 | 123 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 124 ngx_conf_set_bitmask_slot, |
| 1136 | 125 NGX_MAIL_SRV_CONF_OFFSET, |
| 126 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 127 &ngx_mail_ssl_protocols }, | |
| 547 | 128 |
| 539 | 129 { ngx_string("ssl_ciphers"), |
| 1136 | 130 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 131 ngx_conf_set_str_slot, |
| 1136 | 132 NGX_MAIL_SRV_CONF_OFFSET, |
| 133 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 134 NULL }, |
| 135 | |
| 547 | 136 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 137 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 138 ngx_conf_set_flag_slot, |
| 1136 | 139 NGX_MAIL_SRV_CONF_OFFSET, |
| 140 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 141 NULL }, |
| 563 | 142 |
| 976 | 143 { ngx_string("ssl_session_cache"), |
| 1136 | 144 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 145 ngx_mail_ssl_session_cache, | |
| 146 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 147 0, |
| 148 NULL }, | |
| 149 | |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
150 { ngx_string("ssl_session_tickets"), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
151 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
152 ngx_conf_set_flag_slot, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
153 NGX_MAIL_SRV_CONF_OFFSET, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
154 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
155 NULL }, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
156 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
157 { ngx_string("ssl_session_ticket_key"), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
158 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
159 ngx_conf_set_str_array_slot, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
160 NGX_MAIL_SRV_CONF_OFFSET, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
161 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
162 NULL }, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
163 |
| 573 | 164 { ngx_string("ssl_session_timeout"), |
| 1136 | 165 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 166 ngx_conf_set_sec_slot, |
| 1136 | 167 NGX_MAIL_SRV_CONF_OFFSET, |
| 168 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 169 NULL }, |
| 547 | 170 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 { ngx_string("ssl_verify_client"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 ngx_conf_set_enum_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 offsetof(ngx_mail_ssl_conf_t, verify), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 &ngx_mail_ssl_verify }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 { ngx_string("ssl_verify_depth"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 ngx_conf_set_num_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 { ngx_string("ssl_client_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 { ngx_string("ssl_trusted_certificate"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
193 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
194 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
195 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
196 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
197 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
198 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
199 { ngx_string("ssl_crl"), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
200 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
201 ngx_conf_set_str_slot, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
202 NGX_MAIL_SRV_CONF_OFFSET, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
203 offsetof(ngx_mail_ssl_conf_t, crl), |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
204 NULL }, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
205 |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
206 { ngx_string("ssl_conf_command"), |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
207 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
208 ngx_conf_set_keyval_slot, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
209 NGX_MAIL_SRV_CONF_OFFSET, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
210 offsetof(ngx_mail_ssl_conf_t, conf_commands), |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
211 &ngx_mail_ssl_conf_command_post }, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
212 |
| 539 | 213 ngx_null_command |
| 214 }; | |
| 215 | |
| 216 | |
| 1136 | 217 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
218 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
219 |
| 539 | 220 NULL, /* create main configuration */ |
| 221 NULL, /* init main configuration */ | |
| 222 | |
| 1136 | 223 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 224 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 225 }; |
| 226 | |
| 227 | |
| 1136 | 228 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 229 NGX_MODULE_V1, |
| 1136 | 230 &ngx_mail_ssl_module_ctx, /* module context */ |
| 231 ngx_mail_ssl_commands, /* module directives */ | |
| 232 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 233 NULL, /* init master */ |
| 539 | 234 NULL, /* init module */ |
| 541 | 235 NULL, /* init process */ |
| 236 NULL, /* init thread */ | |
| 237 NULL, /* exit thread */ | |
| 238 NULL, /* exit process */ | |
| 239 NULL, /* exit master */ | |
| 240 NGX_MODULE_V1_PADDING | |
| 539 | 241 }; |
| 242 | |
| 243 | |
| 1136 | 244 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 245 |
| 246 | |
| 539 | 247 static void * |
| 1136 | 248 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 249 { |
| 1136 | 250 ngx_mail_ssl_conf_t *scf; |
| 577 | 251 |
| 1136 | 252 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 253 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
254 return NULL; |
| 539 | 255 } |
| 256 | |
| 257 /* | |
| 577 | 258 * set by ngx_pcalloc(): |
| 539 | 259 * |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
260 * scf->listen = 0; |
| 547 | 261 * scf->protocols = 0; |
| 2044 | 262 * scf->dhparam = { 0, NULL }; |
| 3960 | 263 * scf->ecdh_curve = { 0, NULL }; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
264 * scf->client_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
265 * scf->trusted_certificate = { 0, NULL }; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
266 * scf->crl = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
267 * scf->ciphers = { 0, NULL }; |
| 976 | 268 * scf->shm_zone = NULL; |
| 539 | 269 */ |
| 270 | |
| 271 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 272 scf->starttls = NGX_CONF_UNSET_UINT; |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
273 scf->certificates = NGX_CONF_UNSET_PTR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
274 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
275 scf->passwords = NGX_CONF_UNSET_PTR; |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
276 scf->conf_commands = NGX_CONF_UNSET_PTR; |
| 976 | 277 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
278 scf->verify = NGX_CONF_UNSET_UINT; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
279 scf->verify_depth = NGX_CONF_UNSET_UINT; |
| 976 | 280 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 573 | 281 scf->session_timeout = NGX_CONF_UNSET; |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
282 scf->session_tickets = NGX_CONF_UNSET; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
283 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 539 | 284 |
| 285 return scf; | |
| 286 } | |
| 287 | |
| 288 | |
| 289 static char * | |
| 1136 | 290 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 291 { |
| 1136 | 292 ngx_mail_ssl_conf_t *prev = parent; |
| 293 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 294 |
| 2224 | 295 char *mode; |
| 563 | 296 ngx_pool_cleanup_t *cln; |
| 297 | |
| 539 | 298 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 299 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 300 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 301 |
| 573 | 302 ngx_conf_merge_value(conf->session_timeout, |
| 303 prev->session_timeout, 300); | |
| 304 | |
| 547 | 305 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 306 prev->prefer_server_ciphers, 0); | |
| 307 | |
| 308 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
309 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
310 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 311 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
312 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
313 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
314 |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
315 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
316 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
317 NULL); |
| 539 | 318 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
319 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
320 |
| 2044 | 321 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 322 | |
| 3960 | 323 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 324 NGX_DEFAULT_ECDH_CURVE); | |
| 325 | |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
326 ngx_conf_merge_str_value(conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
327 prev->client_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
328 ngx_conf_merge_str_value(conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
329 prev->trusted_certificate, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
330 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
331 |
| 2124 | 332 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 333 |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
334 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
335 |
| 539 | 336 |
| 547 | 337 conf->ssl.log = cf->log; |
| 539 | 338 |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
339 if (conf->listen) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
340 mode = "listen ... ssl"; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
341 |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
342 } else if (conf->enable) { |
| 6474 | 343 mode = "ssl"; |
| 2224 | 344 |
| 345 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 6474 | 346 mode = "starttls"; |
| 2224 | 347 |
| 348 } else { | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
349 return NGX_CONF_OK; |
| 2224 | 350 } |
| 351 | |
|
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
352 if (conf->file == NULL) { |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
353 conf->file = prev->file; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
354 conf->line = prev->line; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
355 } |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
356 |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
357 if (conf->certificates == NULL) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
358 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
359 "no \"ssl_certificate\" is defined for " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
360 "the \"%s\" directive in %s:%ui", |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
361 mode, conf->file, conf->line); |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
362 return NGX_CONF_ERROR; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
363 } |
| 2224 | 364 |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
365 if (conf->certificate_keys == NULL) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
366 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
367 "no \"ssl_certificate_key\" is defined for " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
368 "the \"%s\" directive in %s:%ui", |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
369 mode, conf->file, conf->line); |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
370 return NGX_CONF_ERROR; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
371 } |
| 2224 | 372 |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
373 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
374 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
375 "no \"ssl_certificate_key\" is defined " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
376 "for certificate \"%V\" and " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
377 "the \"%s\" directive in %s:%ui", |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
378 ((ngx_str_t *) conf->certificates->elts) |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
379 + conf->certificates->nelts - 1, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
380 mode, conf->file, conf->line); |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
381 return NGX_CONF_ERROR; |
| 2224 | 382 } |
| 383 | |
| 969 | 384 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 385 return NGX_CONF_ERROR; |
| 386 } | |
| 387 | |
| 563 | 388 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 389 if (cln == NULL) { | |
|
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
390 ngx_ssl_cleanup_ctx(&conf->ssl); |
| 539 | 391 return NGX_CONF_ERROR; |
| 392 } | |
| 393 | |
| 563 | 394 cln->handler = ngx_ssl_cleanup_ctx; |
| 395 cln->data = &conf->ssl; | |
| 396 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
397 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
398 conf->certificate_keys, conf->passwords) |
| 563 | 399 != NGX_OK) |
| 547 | 400 { |
| 401 return NGX_CONF_ERROR; | |
| 402 } | |
| 539 | 403 |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 if (conf->verify) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
408 "no ssl_client_certificate for ssl_verify_client"); |
|
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
410 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
411 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
412 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
413 &conf->client_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
414 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
415 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
416 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
417 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
418 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
419 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
420 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
421 &conf->trusted_certificate, |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
422 conf->verify_depth) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
423 != NGX_OK) |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
424 { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
425 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
426 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
427 |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
428 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
429 return NGX_CONF_ERROR; |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
430 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
431 } |
|
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
432 |
|
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
433 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
434 conf->prefer_server_ciphers) |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
435 != NGX_OK) |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
436 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
437 return NGX_CONF_ERROR; |
| 539 | 438 } |
| 439 | |
| 2044 | 440 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 441 return NGX_CONF_ERROR; | |
| 442 } | |
| 443 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
444 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
445 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
446 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
447 |
| 976 | 448 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 449 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 450 |
| 451 if (conf->shm_zone == NULL) { | |
| 452 conf->shm_zone = prev->shm_zone; | |
| 453 } | |
| 539 | 454 |
| 1136 | 455 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
456 conf->certificates, conf->builtin_session_cache, |
| 976 | 457 conf->shm_zone, conf->session_timeout) |
| 458 != NGX_OK) | |
| 459 { | |
| 460 return NGX_CONF_ERROR; | |
| 461 } | |
| 573 | 462 |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
463 ngx_conf_merge_value(conf->session_tickets, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
464 prev->session_tickets, 1); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
465 |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
466 #ifdef SSL_OP_NO_TICKET |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
467 if (!conf->session_tickets) { |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
468 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
469 } |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
470 #endif |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
471 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
472 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
473 prev->session_ticket_keys, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
474 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
475 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
476 != NGX_OK) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
477 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
478 return NGX_CONF_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
479 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
480 |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
481 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
482 return NGX_CONF_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
483 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
484 |
| 539 | 485 return NGX_CONF_OK; |
| 486 } | |
| 563 | 487 |
| 577 | 488 |
| 976 | 489 static char * |
| 2224 | 490 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 491 { | |
| 492 ngx_mail_ssl_conf_t *scf = conf; | |
| 493 | |
| 494 char *rv; | |
| 495 | |
| 496 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 497 | |
| 498 if (rv != NGX_CONF_OK) { | |
| 499 return rv; | |
| 500 } | |
| 501 | |
| 502 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
|
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
503 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
| 2224 | 504 "\"starttls\" directive conflicts with \"ssl on\""); |
| 505 return NGX_CONF_ERROR; | |
| 506 } | |
| 507 | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
508 if (!scf->listen) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
509 scf->file = cf->conf_file->file.name.data; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
510 scf->line = cf->conf_file->line; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
511 } |
| 2224 | 512 |
| 513 return NGX_CONF_OK; | |
| 514 } | |
| 515 | |
| 516 | |
| 517 static char * | |
| 518 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 519 { | |
| 520 ngx_mail_ssl_conf_t *scf = conf; | |
| 521 | |
| 522 char *rv; | |
| 523 | |
| 524 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 525 | |
| 526 if (rv != NGX_CONF_OK) { | |
| 527 return rv; | |
| 528 } | |
| 529 | |
| 530 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
|
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
531 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
| 2224 | 532 "\"ssl\" directive conflicts with \"starttls\""); |
| 533 return NGX_CONF_ERROR; | |
| 534 } | |
| 535 | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
536 if (!scf->listen) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
537 scf->file = cf->conf_file->file.name.data; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
538 scf->line = cf->conf_file->line; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
539 } |
| 2224 | 540 |
| 541 return NGX_CONF_OK; | |
| 542 } | |
| 543 | |
| 544 | |
| 545 static char * | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
547 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
548 ngx_mail_ssl_conf_t *scf = conf; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
549 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
550 ngx_str_t *value; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
551 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
552 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
553 return "is duplicate"; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
554 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
555 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
556 value = cf->args->elts; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
557 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
558 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
559 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
560 if (scf->passwords == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
561 return NGX_CONF_ERROR; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
562 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
563 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
564 return NGX_CONF_OK; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
565 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
566 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
567 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
568 static char * |
| 1136 | 569 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 570 { |
| 1136 | 571 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 572 |
| 573 size_t len; | |
| 574 ngx_str_t *value, name, size; | |
| 575 ngx_int_t n; | |
| 576 ngx_uint_t i, j; | |
| 577 | |
| 578 value = cf->args->elts; | |
| 579 | |
| 580 for (i = 1; i < cf->args->nelts; i++) { | |
| 581 | |
| 1778 | 582 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 583 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 584 continue; | |
| 585 } | |
| 586 | |
| 2032 | 587 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 588 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 589 continue; | |
| 590 } | |
| 591 | |
| 976 | 592 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 593 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 594 continue; | |
| 595 } | |
| 596 | |
| 597 if (value[i].len > sizeof("builtin:") - 1 | |
| 598 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 599 == 0) | |
| 600 { | |
| 601 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 602 value[i].len - (sizeof("builtin:") - 1)); | |
| 603 | |
| 604 if (n == NGX_ERROR) { | |
| 605 goto invalid; | |
| 606 } | |
| 607 | |
| 608 scf->builtin_session_cache = n; | |
| 609 | |
| 610 continue; | |
| 611 } | |
| 612 | |
| 613 if (value[i].len > sizeof("shared:") - 1 | |
| 614 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 615 == 0) | |
| 616 { | |
| 617 len = 0; | |
| 618 | |
| 619 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 620 if (value[i].data[j] == ':') { | |
| 621 break; | |
| 622 } | |
| 623 | |
| 624 len++; | |
| 625 } | |
| 626 | |
| 627 if (len == 0) { | |
| 628 goto invalid; | |
| 629 } | |
| 630 | |
| 631 name.len = len; | |
| 632 name.data = value[i].data + sizeof("shared:") - 1; | |
| 633 | |
| 634 size.len = value[i].len - j - 1; | |
| 635 size.data = name.data + len + 1; | |
| 636 | |
| 637 n = ngx_parse_size(&size); | |
| 638 | |
| 639 if (n == NGX_ERROR) { | |
| 640 goto invalid; | |
| 641 } | |
| 642 | |
| 643 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 644 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 645 "session cache \"%V\" is too small", | |
| 646 &value[i]); | |
| 647 | |
| 648 return NGX_CONF_ERROR; | |
| 649 } | |
| 650 | |
| 651 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 652 &ngx_mail_ssl_module); |
| 976 | 653 if (scf->shm_zone == NULL) { |
| 654 return NGX_CONF_ERROR; | |
| 655 } | |
| 656 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
657 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
658 |
| 976 | 659 continue; |
| 660 } | |
| 661 | |
| 662 goto invalid; | |
| 663 } | |
| 664 | |
| 665 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 666 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 667 } | |
| 668 | |
| 669 return NGX_CONF_OK; | |
| 670 | |
| 671 invalid: | |
| 672 | |
| 673 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 674 "invalid session cache \"%V\"", &value[i]); | |
| 675 | |
| 676 return NGX_CONF_ERROR; | |
| 677 } | |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
678 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
679 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
680 static char * |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
681 ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
682 { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
683 #ifndef SSL_CONF_FLAG_FILE |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
684 return "is not supported on this platform"; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
685 #endif |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
686 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
687 return NGX_CONF_OK; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
688 } |