Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.c @ 7401:a7ff19afbb14
Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.
While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 26 Nov 2018 18:29:56 +0300 |
| parents | 7f955d3b9a0d |
| children | e970de27966a |
| rev | line source |
|---|---|
| 6115 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4 * Copyright (C) Nginx, Inc. | |
| 5 */ | |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 10 #include <ngx_stream.h> | |
| 11 | |
| 12 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
| 6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
| 6115 | 19 |
| 20 | |
| 6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
| 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
| 23 ngx_connection_t *c); | |
| 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
25 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
26 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
27 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
28 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
29 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
30 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
| 6115 | 31 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
| 32 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
| 33 void *child); | |
| 34 | |
| 35 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 36 void *conf); | |
| 37 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 38 void *conf); | |
| 6693 | 39 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
| 6115 | 40 |
| 41 | |
| 42 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
| 43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
| 44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
| 46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
| 47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
|
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
48 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
| 6115 | 49 { ngx_null_string, 0 } |
| 50 }; | |
| 51 | |
| 52 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
53 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
54 { ngx_string("off"), 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
55 { ngx_string("on"), 1 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
56 { ngx_string("optional"), 2 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
57 { ngx_string("optional_no_ca"), 3 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
58 { ngx_null_string, 0 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
59 }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
60 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
61 |
| 6115 | 62 static ngx_command_t ngx_stream_ssl_commands[] = { |
| 63 | |
| 64 { ngx_string("ssl_handshake_timeout"), | |
| 65 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 66 ngx_conf_set_msec_slot, | |
| 67 NGX_STREAM_SRV_CONF_OFFSET, | |
| 68 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
| 69 NULL }, | |
| 70 | |
| 71 { ngx_string("ssl_certificate"), | |
| 72 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
73 ngx_conf_set_str_array_slot, |
| 6115 | 74 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
75 offsetof(ngx_stream_ssl_conf_t, certificates), |
| 6115 | 76 NULL }, |
| 77 | |
| 78 { ngx_string("ssl_certificate_key"), | |
| 79 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
80 ngx_conf_set_str_array_slot, |
| 6115 | 81 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
82 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
| 6115 | 83 NULL }, |
| 84 | |
| 85 { ngx_string("ssl_password_file"), | |
| 86 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 87 ngx_stream_ssl_password_file, | |
| 88 NGX_STREAM_SRV_CONF_OFFSET, | |
| 89 0, | |
| 90 NULL }, | |
| 91 | |
| 92 { ngx_string("ssl_dhparam"), | |
| 93 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 94 ngx_conf_set_str_slot, | |
| 95 NGX_STREAM_SRV_CONF_OFFSET, | |
| 96 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
| 97 NULL }, | |
| 98 | |
| 99 { ngx_string("ssl_ecdh_curve"), | |
| 100 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 101 ngx_conf_set_str_slot, | |
| 102 NGX_STREAM_SRV_CONF_OFFSET, | |
| 103 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
| 104 NULL }, | |
| 105 | |
| 106 { ngx_string("ssl_protocols"), | |
| 107 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
| 108 ngx_conf_set_bitmask_slot, | |
| 109 NGX_STREAM_SRV_CONF_OFFSET, | |
| 110 offsetof(ngx_stream_ssl_conf_t, protocols), | |
| 111 &ngx_stream_ssl_protocols }, | |
| 112 | |
| 113 { ngx_string("ssl_ciphers"), | |
| 114 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 115 ngx_conf_set_str_slot, | |
| 116 NGX_STREAM_SRV_CONF_OFFSET, | |
| 117 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
| 118 NULL }, | |
| 119 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
120 { ngx_string("ssl_verify_client"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
121 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
122 ngx_conf_set_enum_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
123 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
124 offsetof(ngx_stream_ssl_conf_t, verify), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
125 &ngx_stream_ssl_verify }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
126 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
127 { ngx_string("ssl_verify_depth"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
128 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
129 ngx_conf_set_num_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
130 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
131 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
132 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
133 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
134 { ngx_string("ssl_client_certificate"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
135 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
136 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 { ngx_string("ssl_trusted_certificate"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 |
| 6115 | 148 { ngx_string("ssl_prefer_server_ciphers"), |
| 149 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 150 ngx_conf_set_flag_slot, | |
| 151 NGX_STREAM_SRV_CONF_OFFSET, | |
| 152 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
| 153 NULL }, | |
| 154 | |
| 155 { ngx_string("ssl_session_cache"), | |
| 156 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
| 157 ngx_stream_ssl_session_cache, | |
| 158 NGX_STREAM_SRV_CONF_OFFSET, | |
| 159 0, | |
| 160 NULL }, | |
| 161 | |
| 162 { ngx_string("ssl_session_tickets"), | |
| 163 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 164 ngx_conf_set_flag_slot, | |
| 165 NGX_STREAM_SRV_CONF_OFFSET, | |
| 166 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
| 167 NULL }, | |
| 168 | |
| 169 { ngx_string("ssl_session_ticket_key"), | |
| 170 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 171 ngx_conf_set_str_array_slot, | |
| 172 NGX_STREAM_SRV_CONF_OFFSET, | |
| 173 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
| 174 NULL }, | |
| 175 | |
| 176 { ngx_string("ssl_session_timeout"), | |
| 177 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 178 ngx_conf_set_sec_slot, | |
| 179 NGX_STREAM_SRV_CONF_OFFSET, | |
| 180 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
| 181 NULL }, | |
| 182 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
183 { ngx_string("ssl_crl"), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
184 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
185 ngx_conf_set_str_slot, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
186 NGX_STREAM_SRV_CONF_OFFSET, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
187 offsetof(ngx_stream_ssl_conf_t, crl), |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
188 NULL }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
189 |
| 6115 | 190 ngx_null_command |
| 191 }; | |
| 192 | |
| 193 | |
| 194 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
195 ngx_stream_ssl_add_variables, /* preconfiguration */ |
| 6693 | 196 ngx_stream_ssl_init, /* postconfiguration */ |
|
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
197 |
| 6115 | 198 NULL, /* create main configuration */ |
| 199 NULL, /* init main configuration */ | |
| 200 | |
| 201 ngx_stream_ssl_create_conf, /* create server configuration */ | |
| 202 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
| 203 }; | |
| 204 | |
| 205 | |
| 206 ngx_module_t ngx_stream_ssl_module = { | |
| 207 NGX_MODULE_V1, | |
| 208 &ngx_stream_ssl_module_ctx, /* module context */ | |
| 209 ngx_stream_ssl_commands, /* module directives */ | |
| 210 NGX_STREAM_MODULE, /* module type */ | |
| 211 NULL, /* init master */ | |
| 212 NULL, /* init module */ | |
| 213 NULL, /* init process */ | |
| 214 NULL, /* init thread */ | |
| 215 NULL, /* exit thread */ | |
| 216 NULL, /* exit process */ | |
| 217 NULL, /* exit master */ | |
| 218 NGX_MODULE_V1_PADDING | |
| 219 }; | |
| 220 | |
| 221 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
222 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
223 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
224 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
225 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
226 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
227 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
228 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
229 |
|
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
230 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
231 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
232 |
|
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
233 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
234 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
235 |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
236 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
237 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
238 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
239 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
240 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
241 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
242 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
243 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
244 |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
245 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
246 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
247 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
248 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
249 (uintptr_t) ngx_ssl_get_raw_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
250 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
251 |
|
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
252 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
253 (uintptr_t) ngx_ssl_get_escaped_certificate, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
254 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
255 |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
256 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
257 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
258 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
259 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
260 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
261 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
262 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
263 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
264 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
265 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
266 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
267 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
268 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
275 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
276 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
277 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
278 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
279 |
|
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
280 ngx_stream_null_variable |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
281 }; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
282 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
283 |
| 6115 | 284 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
| 285 | |
| 286 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
287 static ngx_int_t |
| 6693 | 288 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
| 289 { | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
290 long rc; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
291 X509 *cert; |
|
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
292 ngx_int_t rv; |
| 6693 | 293 ngx_connection_t *c; |
| 294 ngx_stream_ssl_conf_t *sslcf; | |
| 295 | |
|
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
296 if (!s->ssl) { |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
297 return NGX_OK; |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
298 } |
|
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
299 |
| 6693 | 300 c = s->connection; |
| 301 | |
| 302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 303 | |
|
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
304 if (c->ssl == NULL) { |
| 6693 | 305 c->log->action = "SSL handshaking"; |
| 306 | |
|
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
307 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
308 |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
309 if (rv != NGX_OK) { |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
310 return rv; |
|
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
311 } |
| 6693 | 312 } |
| 313 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
314 if (sslcf->verify) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
315 rc = SSL_get_verify_result(c->ssl->connection); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
316 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
317 if (rc != X509_V_OK |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
318 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
319 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
320 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
321 "client SSL certificate verify error: (%l:%s)", |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
322 rc, X509_verify_cert_error_string(rc)); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
323 |
|
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
324 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
325 (SSL_get0_session(c->ssl->connection))); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
326 return NGX_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
327 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
328 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
329 if (sslcf->verify == 1) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
330 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
331 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
332 if (cert == NULL) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
333 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
334 "client sent no required SSL certificate"); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
335 |
|
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
336 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
337 (SSL_get0_session(c->ssl->connection))); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 return NGX_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 X509_free(cert); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 |
| 6693 | 345 return NGX_OK; |
| 346 } | |
| 347 | |
| 348 | |
| 349 static ngx_int_t | |
| 350 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
| 351 { | |
|
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
352 ngx_int_t rc; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
353 ngx_stream_session_t *s; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
354 ngx_stream_ssl_conf_t *sslcf; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
355 ngx_stream_core_srv_conf_t *cscf; |
| 6693 | 356 |
| 357 s = c->data; | |
| 358 | |
|
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
359 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
360 |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
361 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
362 return NGX_ERROR; |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
363 } |
|
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
364 |
|
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
365 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
| 6693 | 366 return NGX_ERROR; |
| 367 } | |
| 368 | |
| 369 rc = ngx_ssl_handshake(c); | |
| 370 | |
| 371 if (rc == NGX_ERROR) { | |
| 372 return NGX_ERROR; | |
| 373 } | |
| 374 | |
| 375 if (rc == NGX_AGAIN) { | |
| 376 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 377 | |
| 378 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
| 379 | |
| 380 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
| 381 | |
| 382 return NGX_AGAIN; | |
| 383 } | |
| 384 | |
| 385 /* rc == NGX_OK */ | |
| 386 | |
| 387 return NGX_OK; | |
| 388 } | |
| 389 | |
| 390 | |
| 391 static void | |
| 392 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
| 393 { | |
| 394 ngx_stream_session_t *s; | |
| 395 | |
| 396 s = c->data; | |
| 397 | |
| 398 if (!c->ssl->handshaked) { | |
| 399 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
| 400 return; | |
| 401 } | |
| 402 | |
| 403 if (c->read->timer_set) { | |
| 404 ngx_del_timer(c->read); | |
| 405 } | |
| 406 | |
| 407 ngx_stream_core_run_phases(s); | |
| 408 } | |
| 409 | |
| 410 | |
| 411 static ngx_int_t | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
412 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
413 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
414 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
415 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
416 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
417 size_t len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
418 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
419 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
420 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
421 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
422 (void) handler(s->connection, NULL, &str); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
423 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
424 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
425 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
426 for (len = 0; v->data[len]; len++) { /* void */ } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
427 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
428 v->len = len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
429 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
430 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
431 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
432 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
433 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
434 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
435 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
436 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
437 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
438 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
439 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
440 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
441 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
442 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
443 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
444 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
445 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
446 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
447 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
448 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
449 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
450 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
451 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
452 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
453 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
454 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
455 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
456 v->len = str.len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
457 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
458 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
459 if (v->len) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
460 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
461 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
462 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
463 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
464 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
465 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
466 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
467 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
468 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
469 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
470 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
471 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
472 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
473 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
474 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
475 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
476 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
477 ngx_stream_variable_t *var, *v; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
478 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
479 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
480 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
481 if (var == NULL) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
482 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
483 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
484 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
485 var->get_handler = v->get_handler; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
486 var->data = v->data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
487 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
488 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
489 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
490 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
491 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
492 |
| 6115 | 493 static void * |
| 494 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
| 495 { | |
| 496 ngx_stream_ssl_conf_t *scf; | |
| 497 | |
| 498 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
| 499 if (scf == NULL) { | |
| 500 return NULL; | |
| 501 } | |
| 502 | |
| 503 /* | |
| 504 * set by ngx_pcalloc(): | |
| 505 * | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
506 * scf->listen = 0; |
| 6115 | 507 * scf->protocols = 0; |
| 508 * scf->dhparam = { 0, NULL }; | |
| 509 * scf->ecdh_curve = { 0, NULL }; | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
510 * scf->client_certificate = { 0, NULL }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
511 * scf->trusted_certificate = { 0, NULL }; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
512 * scf->crl = { 0, NULL }; |
| 6115 | 513 * scf->ciphers = { 0, NULL }; |
| 514 * scf->shm_zone = NULL; | |
| 515 */ | |
| 516 | |
| 517 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
518 scf->certificates = NGX_CONF_UNSET_PTR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
519 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
| 6115 | 520 scf->passwords = NGX_CONF_UNSET_PTR; |
| 521 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
522 scf->verify = NGX_CONF_UNSET_UINT; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
523 scf->verify_depth = NGX_CONF_UNSET_UINT; |
| 6115 | 524 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 525 scf->session_timeout = NGX_CONF_UNSET; | |
| 526 scf->session_tickets = NGX_CONF_UNSET; | |
| 527 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
| 528 | |
| 529 return scf; | |
| 530 } | |
| 531 | |
| 532 | |
| 533 static char * | |
| 534 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
| 535 { | |
| 536 ngx_stream_ssl_conf_t *prev = parent; | |
| 537 ngx_stream_ssl_conf_t *conf = child; | |
| 538 | |
| 539 ngx_pool_cleanup_t *cln; | |
| 540 | |
| 541 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
| 542 prev->handshake_timeout, 60000); | |
| 543 | |
| 544 ngx_conf_merge_value(conf->session_timeout, | |
| 545 prev->session_timeout, 300); | |
| 546 | |
| 547 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
| 548 prev->prefer_server_ciphers, 0); | |
| 549 | |
| 550 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
551 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
| 6115 | 552 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 553 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
554 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
555 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
556 |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
557 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
558 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
559 NULL); |
| 6115 | 560 |
| 561 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
| 562 | |
| 563 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
| 564 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
565 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
566 ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
567 ngx_conf_merge_str_value(conf->trusted_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
568 prev->trusted_certificate, ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
569 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
570 |
| 6115 | 571 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 572 NGX_DEFAULT_ECDH_CURVE); | |
| 573 | |
| 574 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
| 575 | |
| 576 | |
| 577 conf->ssl.log = cf->log; | |
| 578 | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
579 if (!conf->listen) { |
| 6115 | 580 return NGX_CONF_OK; |
| 581 } | |
| 582 | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
583 if (conf->certificates == NULL) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
584 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
585 "no \"ssl_certificate\" is defined for " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
586 "the \"listen ... ssl\" directive in %s:%ui", |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
587 conf->file, conf->line); |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
588 return NGX_CONF_ERROR; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
589 } |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
590 |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
591 if (conf->certificate_keys == NULL) { |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
593 "no \"ssl_certificate_key\" is defined for " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
594 "the \"listen ... ssl\" directive in %s:%ui", |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
595 conf->file, conf->line); |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
596 return NGX_CONF_ERROR; |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
597 } |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
598 |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
599 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
| 6115 | 600 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 601 "no \"ssl_certificate_key\" is defined " | |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
602 "for certificate \"%V\" and " |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
603 "the \"listen ... ssl\" directive in %s:%ui", |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
604 ((ngx_str_t *) conf->certificates->elts) |
|
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
605 + conf->certificates->nelts - 1, |
|
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
606 conf->file, conf->line); |
| 6115 | 607 return NGX_CONF_ERROR; |
| 608 } | |
| 609 | |
| 610 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
| 611 return NGX_CONF_ERROR; | |
| 612 } | |
| 613 | |
| 614 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
| 615 if (cln == NULL) { | |
| 616 return NGX_CONF_ERROR; | |
| 617 } | |
| 618 | |
| 619 cln->handler = ngx_ssl_cleanup_ctx; | |
| 620 cln->data = &conf->ssl; | |
| 621 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
622 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
623 conf->certificate_keys, conf->passwords) |
| 6115 | 624 != NGX_OK) |
| 625 { | |
| 626 return NGX_CONF_ERROR; | |
| 627 } | |
| 628 | |
|
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
629 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
630 conf->prefer_server_ciphers) |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
631 != NGX_OK) |
| 6115 | 632 { |
| 633 return NGX_CONF_ERROR; | |
| 634 } | |
| 635 | |
|
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
636 if (conf->verify) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
637 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
638 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
639 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
640 "no ssl_client_certificate for ssl_client_verify"); |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
641 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
642 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
643 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
644 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
645 &conf->client_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
646 conf->verify_depth) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
647 != NGX_OK) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
648 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
649 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
650 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
651 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
652 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
653 &conf->trusted_certificate, |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
654 conf->verify_depth) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
655 != NGX_OK) |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
656 { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
657 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
658 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
659 |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
660 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
661 return NGX_CONF_ERROR; |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
662 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
663 } |
|
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
664 |
| 6115 | 665 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 666 return NGX_CONF_ERROR; | |
| 667 } | |
| 668 | |
| 669 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
| 670 return NGX_CONF_ERROR; | |
| 671 } | |
| 672 | |
| 673 ngx_conf_merge_value(conf->builtin_session_cache, | |
| 674 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
| 675 | |
| 676 if (conf->shm_zone == NULL) { | |
| 677 conf->shm_zone = prev->shm_zone; | |
| 678 } | |
| 679 | |
| 680 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
| 681 conf->builtin_session_cache, | |
| 682 conf->shm_zone, conf->session_timeout) | |
| 683 != NGX_OK) | |
| 684 { | |
| 685 return NGX_CONF_ERROR; | |
| 686 } | |
| 687 | |
| 688 ngx_conf_merge_value(conf->session_tickets, | |
| 689 prev->session_tickets, 1); | |
| 690 | |
| 691 #ifdef SSL_OP_NO_TICKET | |
| 692 if (!conf->session_tickets) { | |
| 693 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
| 694 } | |
| 695 #endif | |
| 696 | |
| 697 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
| 698 prev->session_ticket_keys, NULL); | |
| 699 | |
| 700 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
| 701 != NGX_OK) | |
| 702 { | |
| 703 return NGX_CONF_ERROR; | |
| 704 } | |
| 705 | |
| 706 return NGX_CONF_OK; | |
| 707 } | |
| 708 | |
| 709 | |
| 710 static char * | |
| 711 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 712 { | |
| 713 ngx_stream_ssl_conf_t *scf = conf; | |
| 714 | |
| 715 ngx_str_t *value; | |
| 716 | |
| 717 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
| 718 return "is duplicate"; | |
| 719 } | |
| 720 | |
| 721 value = cf->args->elts; | |
| 722 | |
| 723 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
| 724 | |
| 725 if (scf->passwords == NULL) { | |
| 726 return NGX_CONF_ERROR; | |
| 727 } | |
| 728 | |
| 729 return NGX_CONF_OK; | |
| 730 } | |
| 731 | |
| 732 | |
| 733 static char * | |
| 734 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 735 { | |
| 736 ngx_stream_ssl_conf_t *scf = conf; | |
| 737 | |
| 738 size_t len; | |
| 739 ngx_str_t *value, name, size; | |
| 740 ngx_int_t n; | |
| 741 ngx_uint_t i, j; | |
| 742 | |
| 743 value = cf->args->elts; | |
| 744 | |
| 745 for (i = 1; i < cf->args->nelts; i++) { | |
| 746 | |
| 747 if (ngx_strcmp(value[i].data, "off") == 0) { | |
| 748 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 749 continue; | |
| 750 } | |
| 751 | |
| 752 if (ngx_strcmp(value[i].data, "none") == 0) { | |
| 753 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 754 continue; | |
| 755 } | |
| 756 | |
| 757 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
| 758 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 759 continue; | |
| 760 } | |
| 761 | |
| 762 if (value[i].len > sizeof("builtin:") - 1 | |
| 763 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 764 == 0) | |
| 765 { | |
| 766 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 767 value[i].len - (sizeof("builtin:") - 1)); | |
| 768 | |
| 769 if (n == NGX_ERROR) { | |
| 770 goto invalid; | |
| 771 } | |
| 772 | |
| 773 scf->builtin_session_cache = n; | |
| 774 | |
| 775 continue; | |
| 776 } | |
| 777 | |
| 778 if (value[i].len > sizeof("shared:") - 1 | |
| 779 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 780 == 0) | |
| 781 { | |
| 782 len = 0; | |
| 783 | |
| 784 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 785 if (value[i].data[j] == ':') { | |
| 786 break; | |
| 787 } | |
| 788 | |
| 789 len++; | |
| 790 } | |
| 791 | |
| 792 if (len == 0) { | |
| 793 goto invalid; | |
| 794 } | |
| 795 | |
| 796 name.len = len; | |
| 797 name.data = value[i].data + sizeof("shared:") - 1; | |
| 798 | |
| 799 size.len = value[i].len - j - 1; | |
| 800 size.data = name.data + len + 1; | |
| 801 | |
| 802 n = ngx_parse_size(&size); | |
| 803 | |
| 804 if (n == NGX_ERROR) { | |
| 805 goto invalid; | |
| 806 } | |
| 807 | |
| 808 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 809 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 810 "session cache \"%V\" is too small", | |
| 811 &value[i]); | |
| 812 | |
| 813 return NGX_CONF_ERROR; | |
| 814 } | |
| 815 | |
| 816 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 817 &ngx_stream_ssl_module); | |
| 818 if (scf->shm_zone == NULL) { | |
| 819 return NGX_CONF_ERROR; | |
| 820 } | |
| 821 | |
| 822 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
| 823 | |
| 824 continue; | |
| 825 } | |
| 826 | |
| 827 goto invalid; | |
| 828 } | |
| 829 | |
| 830 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 831 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 832 } | |
| 833 | |
| 834 return NGX_CONF_OK; | |
| 835 | |
| 836 invalid: | |
| 837 | |
| 838 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 839 "invalid session cache \"%V\"", &value[i]); | |
| 840 | |
| 841 return NGX_CONF_ERROR; | |
| 842 } | |
| 6693 | 843 |
| 844 | |
| 845 static ngx_int_t | |
| 846 ngx_stream_ssl_init(ngx_conf_t *cf) | |
| 847 { | |
| 848 ngx_stream_handler_pt *h; | |
| 849 ngx_stream_core_main_conf_t *cmcf; | |
| 850 | |
| 851 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
| 852 | |
| 853 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
| 854 if (h == NULL) { | |
| 855 return NGX_ERROR; | |
| 856 } | |
| 857 | |
| 858 *h = ngx_stream_ssl_handler; | |
| 859 | |
| 860 return NGX_OK; | |
| 861 } |