Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 4872:7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification. In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.
Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.
The same applies to a CRL (which is now always loaded).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:39:36 +0000 |
parents | d620f497c50f |
children | dd74fd35ceb5 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
573 | 12 |
671 | 13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
14 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 15 |
16 | |
3960 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
671 | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 22 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 24 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 25 |
26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 29 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
30 |
2224 | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | |
973 | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | |
35 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 |
547 | 37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 43 { ngx_null_string, 0 } |
44 }; | |
45 | |
46 | |
2123 | 47 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
48 { ngx_string("off"), 0 }, | |
49 { ngx_string("on"), 1 }, | |
2994 | 50 { ngx_string("optional"), 2 }, |
2123 | 51 { ngx_null_string, 0 } |
52 }; | |
53 | |
54 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
55 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
56 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
57 { ngx_string("ssl"), |
599 | 58 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 59 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 { ngx_string("ssl_certificate"), |
599 | 65 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 { ngx_string("ssl_certificate_key"), |
599 | 72 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
74 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
75 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
76 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
77 |
2044 | 78 { ngx_string("ssl_dhparam"), |
79 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
80 ngx_conf_set_str_slot, | |
81 NGX_HTTP_SRV_CONF_OFFSET, | |
82 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
83 NULL }, | |
84 | |
3960 | 85 { ngx_string("ssl_ecdh_curve"), |
86 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
87 ngx_conf_set_str_slot, | |
88 NGX_HTTP_SRV_CONF_OFFSET, | |
89 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
90 NULL }, | |
91 | |
547 | 92 { ngx_string("ssl_protocols"), |
563 | 93 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 94 ngx_conf_set_bitmask_slot, |
95 NGX_HTTP_SRV_CONF_OFFSET, | |
96 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
97 &ngx_http_ssl_protocols }, | |
98 | |
479 | 99 { ngx_string("ssl_ciphers"), |
563 | 100 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 101 ngx_conf_set_str_slot, |
102 NGX_HTTP_SRV_CONF_OFFSET, | |
103 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
104 NULL }, | |
105 | |
647 | 106 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
107 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 108 ngx_conf_set_enum_slot, |
647 | 109 NGX_HTTP_SRV_CONF_OFFSET, |
110 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 111 &ngx_http_ssl_verify }, |
647 | 112 |
113 { ngx_string("ssl_verify_depth"), | |
114 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
115 ngx_conf_set_num_slot, | |
116 NGX_HTTP_SRV_CONF_OFFSET, | |
117 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
118 NULL }, | |
119 | |
120 { ngx_string("ssl_client_certificate"), | |
121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
122 ngx_conf_set_str_slot, | |
123 NGX_HTTP_SRV_CONF_OFFSET, | |
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
125 NULL }, | |
126 | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
127 { ngx_string("ssl_trusted_certificate"), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
129 ngx_conf_set_str_slot, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
130 NGX_HTTP_SRV_CONF_OFFSET, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
131 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
132 NULL }, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
133 |
547 | 134 { ngx_string("ssl_prefer_server_ciphers"), |
135 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
136 ngx_conf_set_flag_slot, | |
137 NGX_HTTP_SRV_CONF_OFFSET, | |
138 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
139 NULL }, | |
140 | |
973 | 141 { ngx_string("ssl_session_cache"), |
142 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
143 ngx_http_ssl_session_cache, | |
144 NGX_HTTP_SRV_CONF_OFFSET, | |
145 0, | |
146 NULL }, | |
147 | |
573 | 148 { ngx_string("ssl_session_timeout"), |
149 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
150 ngx_conf_set_sec_slot, | |
151 NGX_HTTP_SRV_CONF_OFFSET, | |
152 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
153 NULL }, | |
154 | |
2995 | 155 { ngx_string("ssl_crl"), |
156 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
157 ngx_conf_set_str_slot, | |
158 NGX_HTTP_SRV_CONF_OFFSET, | |
159 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
160 NULL }, | |
161 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
162 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
164 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
165 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
166 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 167 ngx_http_ssl_add_variables, /* preconfiguration */ |
509 | 168 NULL, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
169 |
541 | 170 NULL, /* create main configuration */ |
171 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
172 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
173 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
174 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
175 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
176 NULL, /* create location configuration */ |
485 | 177 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
178 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
179 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
180 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
181 ngx_module_t ngx_http_ssl_module = { |
509 | 182 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
183 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
184 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
185 NGX_HTTP_MODULE, /* module type */ |
541 | 186 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
187 NULL, /* init module */ |
541 | 188 NULL, /* init process */ |
189 NULL, /* init thread */ | |
190 NULL, /* exit thread */ | |
191 NULL, /* exit process */ | |
192 NULL, /* exit master */ | |
193 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
194 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
195 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
196 |
611 | 197 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
198 | |
671 | 199 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 200 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 201 |
671 | 202 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 203 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 204 |
3154 | 205 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
206 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
207 | |
2045 | 208 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
209 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
210 | |
2123 | 211 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
212 (uintptr_t) ngx_ssl_get_raw_certificate, | |
213 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
214 | |
671 | 215 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 216 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 217 |
671 | 218 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 219 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 220 |
221 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
1565 | 222 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 223 |
2994 | 224 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
225 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
226 | |
637 | 227 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 228 }; |
229 | |
230 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
231 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 232 |
233 | |
234 static ngx_int_t | |
671 | 235 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 236 ngx_http_variable_value_t *v, uintptr_t data) |
237 { | |
671 | 238 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 239 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
240 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
241 ngx_str_t s; |
611 | 242 |
243 if (r->connection->ssl) { | |
244 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
245 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
246 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
247 v->data = s.data; |
611 | 248 |
671 | 249 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 250 |
251 v->len = len; | |
252 v->valid = 1; | |
1565 | 253 v->no_cacheable = 0; |
611 | 254 v->not_found = 0; |
255 | |
256 return NGX_OK; | |
257 } | |
258 | |
259 v->not_found = 1; | |
260 | |
261 return NGX_OK; | |
262 } | |
263 | |
264 | |
265 static ngx_int_t | |
671 | 266 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 267 uintptr_t data) |
268 { | |
671 | 269 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 270 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
271 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
272 |
647 | 273 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
274 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
275 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 276 return NGX_ERROR; |
277 } | |
278 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
279 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
280 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
281 |
647 | 282 if (v->len) { |
283 v->valid = 1; | |
1565 | 284 v->no_cacheable = 0; |
647 | 285 v->not_found = 0; |
286 | |
287 return NGX_OK; | |
288 } | |
289 } | |
290 | |
291 v->not_found = 1; | |
292 | |
293 return NGX_OK; | |
294 } | |
295 | |
296 | |
297 static ngx_int_t | |
611 | 298 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
299 { | |
300 ngx_http_variable_t *var, *v; | |
301 | |
302 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
303 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
304 if (var == NULL) { | |
305 return NGX_ERROR; | |
306 } | |
307 | |
637 | 308 var->get_handler = v->get_handler; |
611 | 309 var->data = v->data; |
310 } | |
311 | |
312 return NGX_OK; | |
313 } | |
314 | |
315 | |
501 | 316 static void * |
317 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
318 { |
971 | 319 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
320 |
971 | 321 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
322 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
323 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
324 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
325 |
479 | 326 /* |
327 * set by ngx_pcalloc(): | |
328 * | |
971 | 329 * sscf->protocols = 0; |
2044 | 330 * sscf->certificate = { 0, NULL }; |
331 * sscf->certificate_key = { 0, NULL }; | |
332 * sscf->dhparam = { 0, NULL }; | |
3960 | 333 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 334 * sscf->client_certificate = { 0, NULL }; |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
335 * sscf->trusted_certificate = { 0, NULL }; |
2995 | 336 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
337 * sscf->ciphers = { 0, NULL }; |
973 | 338 * sscf->shm_zone = NULL; |
479 | 339 */ |
340 | |
971 | 341 sscf->enable = NGX_CONF_UNSET; |
2123 | 342 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
2710 | 343 sscf->verify = NGX_CONF_UNSET_UINT; |
344 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
973 | 345 sscf->builtin_session_cache = NGX_CONF_UNSET; |
346 sscf->session_timeout = NGX_CONF_UNSET; | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
347 |
971 | 348 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
349 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
350 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
351 |
501 | 352 static char * |
353 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
354 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
355 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
356 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
357 |
563 | 358 ngx_pool_cleanup_t *cln; |
359 | |
4234
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
360 if (conf->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
361 if (prev->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
362 conf->enable = 0; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
363 |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
364 } else { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
365 conf->enable = prev->enable; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
366 conf->file = prev->file; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
367 conf->line = prev->line; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
368 } |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
369 } |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
370 |
573 | 371 ngx_conf_merge_value(conf->session_timeout, |
372 prev->session_timeout, 300); | |
373 | |
547 | 374 ngx_conf_merge_value(conf->prefer_server_ciphers, |
375 prev->prefer_server_ciphers, 0); | |
376 | |
377 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
378 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
379 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 380 |
2123 | 381 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
382 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 383 |
2224 | 384 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
385 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
386 |
2044 | 387 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
388 | |
647 | 389 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
390 ""); | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
391 ngx_conf_merge_str_value(conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
392 prev->trusted_certificate, ""); |
2995 | 393 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 394 |
3960 | 395 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
396 NGX_DEFAULT_ECDH_CURVE); | |
397 | |
2124 | 398 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 399 |
400 | |
547 | 401 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
402 |
2224 | 403 if (conf->enable) { |
404 | |
405 if (conf->certificate.len == 0) { | |
406 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
407 "no \"ssl_certificate\" is defined for " | |
408 "the \"ssl\" directive in %s:%ui", | |
409 conf->file, conf->line); | |
410 return NGX_CONF_ERROR; | |
411 } | |
412 | |
413 if (conf->certificate_key.len == 0) { | |
414 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
415 "no \"ssl_certificate_key\" is defined for " | |
416 "the \"ssl\" directive in %s:%ui", | |
417 conf->file, conf->line); | |
418 return NGX_CONF_ERROR; | |
419 } | |
420 | |
421 } else { | |
422 | |
423 if (conf->certificate.len == 0) { | |
424 return NGX_CONF_OK; | |
425 } | |
426 | |
427 if (conf->certificate_key.len == 0) { | |
428 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
429 "no \"ssl_certificate_key\" is defined " | |
430 "for certificate \"%V\"", &conf->certificate); | |
431 return NGX_CONF_ERROR; | |
432 } | |
433 } | |
434 | |
969 | 435 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
436 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
437 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
438 |
1219 | 439 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
440 | |
441 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
442 ngx_http_ssl_servername) | |
443 == 0) | |
444 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
445 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 446 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
447 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
448 "therefore SNI is not available"); |
1219 | 449 } |
450 | |
451 #endif | |
452 | |
563 | 453 cln = ngx_pool_cleanup_add(cf->pool, 0); |
454 if (cln == NULL) { | |
509 | 455 return NGX_CONF_ERROR; |
456 } | |
457 | |
563 | 458 cln->handler = ngx_ssl_cleanup_ctx; |
459 cln->data = &conf->ssl; | |
460 | |
461 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
970 | 462 &conf->certificate_key) |
463 != NGX_OK) | |
529 | 464 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
465 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
466 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
467 |
547 | 468 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 469 (const char *) conf->ciphers.data) |
470 == 0) | |
529 | 471 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
472 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 473 "SSL_CTX_set_cipher_list(\"%V\") failed", |
474 &conf->ciphers); | |
475 } | |
476 | |
647 | 477 if (conf->verify) { |
2123 | 478 |
479 if (conf->client_certificate.len == 0) { | |
480 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
481 "no ssl_client_certificate for ssl_client_verify"); | |
482 return NGX_CONF_ERROR; | |
483 } | |
484 | |
671 | 485 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 486 &conf->client_certificate, |
487 conf->verify_depth) | |
671 | 488 != NGX_OK) |
489 { | |
490 return NGX_CONF_ERROR; | |
647 | 491 } |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
492 } |
2995 | 493 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
494 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
495 &conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
496 conf->verify_depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
497 != NGX_OK) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
498 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
499 return NGX_CONF_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
500 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
501 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
502 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
503 return NGX_CONF_ERROR; |
647 | 504 } |
505 | |
547 | 506 if (conf->prefer_server_ciphers) { |
507 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
508 } | |
509 | |
510 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
511 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
512 |
2044 | 513 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
514 return NGX_CONF_ERROR; | |
515 } | |
516 | |
3960 | 517 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
518 return NGX_CONF_ERROR; | |
519 } | |
520 | |
973 | 521 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 522 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 523 |
524 if (conf->shm_zone == NULL) { | |
525 conf->shm_zone = prev->shm_zone; | |
526 } | |
527 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
528 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
529 conf->builtin_session_cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
530 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
531 != NGX_OK) |
973 | 532 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
533 return NGX_CONF_ERROR; |
973 | 534 } |
573 | 535 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
536 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
537 } |
563 | 538 |
539 | |
973 | 540 static char * |
2224 | 541 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
542 { | |
543 ngx_http_ssl_srv_conf_t *sscf = conf; | |
544 | |
545 char *rv; | |
546 | |
547 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
548 | |
549 if (rv != NGX_CONF_OK) { | |
550 return rv; | |
551 } | |
552 | |
553 sscf->file = cf->conf_file->file.name.data; | |
554 sscf->line = cf->conf_file->line; | |
555 | |
556 return NGX_CONF_OK; | |
557 } | |
558 | |
559 | |
560 static char * | |
973 | 561 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
562 { | |
563 ngx_http_ssl_srv_conf_t *sscf = conf; | |
564 | |
565 size_t len; | |
566 ngx_str_t *value, name, size; | |
567 ngx_int_t n; | |
568 ngx_uint_t i, j; | |
569 | |
570 value = cf->args->elts; | |
571 | |
572 for (i = 1; i < cf->args->nelts; i++) { | |
573 | |
1778 | 574 if (ngx_strcmp(value[i].data, "off") == 0) { |
575 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
576 continue; | |
577 } | |
578 | |
2032 | 579 if (ngx_strcmp(value[i].data, "none") == 0) { |
580 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
581 continue; | |
582 } | |
583 | |
973 | 584 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
585 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 586 continue; |
587 } | |
588 | |
589 if (value[i].len > sizeof("builtin:") - 1 | |
590 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
591 == 0) | |
592 { | |
593 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
594 value[i].len - (sizeof("builtin:") - 1)); | |
595 | |
596 if (n == NGX_ERROR) { | |
597 goto invalid; | |
598 } | |
599 | |
600 sscf->builtin_session_cache = n; | |
601 | |
602 continue; | |
603 } | |
604 | |
605 if (value[i].len > sizeof("shared:") - 1 | |
606 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
607 == 0) | |
608 { | |
609 len = 0; | |
610 | |
611 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
612 if (value[i].data[j] == ':') { | |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
613 value[i].data[j] = '\0'; |
973 | 614 break; |
615 } | |
616 | |
617 len++; | |
618 } | |
619 | |
620 if (len == 0) { | |
621 goto invalid; | |
622 } | |
623 | |
624 name.len = len; | |
625 name.data = value[i].data + sizeof("shared:") - 1; | |
626 | |
627 size.len = value[i].len - j - 1; | |
628 size.data = name.data + len + 1; | |
629 | |
630 n = ngx_parse_size(&size); | |
631 | |
632 if (n == NGX_ERROR) { | |
633 goto invalid; | |
634 } | |
635 | |
636 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
637 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
638 "session cache \"%V\" is too small", |
973 | 639 &value[i]); |
640 | |
641 return NGX_CONF_ERROR; | |
642 } | |
643 | |
644 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
645 &ngx_http_ssl_module); | |
646 if (sscf->shm_zone == NULL) { | |
647 return NGX_CONF_ERROR; | |
648 } | |
649 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
650 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
651 |
973 | 652 continue; |
653 } | |
654 | |
655 goto invalid; | |
656 } | |
657 | |
658 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
659 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 660 } |
661 | |
662 return NGX_CONF_OK; | |
663 | |
664 invalid: | |
665 | |
666 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
667 "invalid session cache \"%V\"", &value[i]); | |
668 | |
669 return NGX_CONF_ERROR; | |
670 } |