Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.h @ 7732:59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 22 Oct 2020 18:02:28 +0300 |
| parents | 3bff3f397c05 |
| children | 71b7453fb11f |
| rev | line source |
|---|---|
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1 |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2 /* |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
5 */ |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
6 |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
7 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
8 #ifndef _NGX_HTTP_SSL_H_INCLUDED_ |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
9 #define _NGX_HTTP_SSL_H_INCLUDED_ |
|
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 #include <ngx_http.h> |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 |
|
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 |
| 973 | 17 typedef struct { |
| 18 ngx_flag_t enable; | |
| 19 | |
| 20 ngx_ssl_t ssl; | |
| 21 | |
| 22 ngx_flag_t prefer_server_ciphers; | |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
23 ngx_flag_t early_data; |
|
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
24 ngx_flag_t reject_handshake; |
| 573 | 25 |
| 973 | 26 ngx_uint_t protocols; |
| 27 | |
| 2123 | 28 ngx_uint_t verify; |
| 29 ngx_uint_t verify_depth; | |
| 973 | 30 |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
31 size_t buffer_size; |
|
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
32 |
| 973 | 33 ssize_t builtin_session_cache; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
34 |
| 973 | 35 time_t session_timeout; |
| 36 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
37 ngx_array_t *certificates; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
38 ngx_array_t *certificate_keys; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
39 |
|
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
40 ngx_array_t *certificate_values; |
|
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
41 ngx_array_t *certificate_key_values; |
|
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
42 |
| 2044 | 43 ngx_str_t dhparam; |
| 3960 | 44 ngx_str_t ecdh_curve; |
| 973 | 45 ngx_str_t client_certificate; |
|
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
46 ngx_str_t trusted_certificate; |
| 2995 | 47 ngx_str_t crl; |
| 973 | 48 |
| 49 ngx_str_t ciphers; | |
| 50 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
51 ngx_array_t *passwords; |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
52 ngx_array_t *conf_commands; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
53 |
| 973 | 54 ngx_shm_zone_t *shm_zone; |
| 2224 | 55 |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
56 ngx_flag_t session_tickets; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4879
diff
changeset
|
57 ngx_array_t *session_ticket_keys; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4879
diff
changeset
|
58 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7462
diff
changeset
|
59 ngx_uint_t ocsp; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7462
diff
changeset
|
60 ngx_str_t ocsp_responder; |
|
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
61 ngx_shm_zone_t *ocsp_cache_zone; |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7462
diff
changeset
|
62 |
|
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
63 ngx_flag_t stapling; |
|
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
64 ngx_flag_t stapling_verify; |
|
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
65 ngx_str_t stapling_file; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
66 ngx_str_t stapling_responder; |
|
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
67 |
| 2224 | 68 u_char *file; |
| 69 ngx_uint_t line; | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
70 } ngx_http_ssl_srv_conf_t; |
|
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
384
diff
changeset
|
71 |
|
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
384
diff
changeset
|
72 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
73 extern ngx_module_t ngx_http_ssl_module; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
74 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
75 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
76 #endif /* _NGX_HTTP_SSL_H_INCLUDED_ */ |