Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 3959:b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Wed, 20 Jul 2011 12:59:24 +0000 |
parents | 1e90599af73b |
children | 0832a6997227 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
4 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
6 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
573 | 11 |
671 | 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
13 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 14 |
15 | |
3938
1e90599af73b
use !aNULL to disable all anonymous cipher suites
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
17 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
18 |
671 | 19 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 20 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 22 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 23 |
24 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
25 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
26 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 27 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 |
2224 | 29 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
30 void *conf); | |
973 | 31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | |
33 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
34 |
547 | 35 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
36 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
37 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
38 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
39 { ngx_null_string, 0 } | |
40 }; | |
41 | |
42 | |
2123 | 43 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
44 { ngx_string("off"), 0 }, | |
45 { ngx_string("on"), 1 }, | |
2994 | 46 { ngx_string("optional"), 2 }, |
2123 | 47 { ngx_null_string, 0 } |
48 }; | |
49 | |
50 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
51 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
52 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
53 { ngx_string("ssl"), |
599 | 54 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 55 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
56 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
57 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
58 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
59 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 { ngx_string("ssl_certificate"), |
599 | 61 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
65 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 { ngx_string("ssl_certificate_key"), |
599 | 68 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 |
2044 | 74 { ngx_string("ssl_dhparam"), |
75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
76 ngx_conf_set_str_slot, | |
77 NGX_HTTP_SRV_CONF_OFFSET, | |
78 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
79 NULL }, | |
80 | |
547 | 81 { ngx_string("ssl_protocols"), |
563 | 82 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 83 ngx_conf_set_bitmask_slot, |
84 NGX_HTTP_SRV_CONF_OFFSET, | |
85 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
86 &ngx_http_ssl_protocols }, | |
87 | |
479 | 88 { ngx_string("ssl_ciphers"), |
563 | 89 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 90 ngx_conf_set_str_slot, |
91 NGX_HTTP_SRV_CONF_OFFSET, | |
92 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
93 NULL }, | |
94 | |
647 | 95 { ngx_string("ssl_verify_client"), |
667 | 96 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2123 | 97 ngx_conf_set_enum_slot, |
647 | 98 NGX_HTTP_SRV_CONF_OFFSET, |
99 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 100 &ngx_http_ssl_verify }, |
647 | 101 |
102 { ngx_string("ssl_verify_depth"), | |
103 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
104 ngx_conf_set_num_slot, | |
105 NGX_HTTP_SRV_CONF_OFFSET, | |
106 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
107 NULL }, | |
108 | |
109 { ngx_string("ssl_client_certificate"), | |
110 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
111 ngx_conf_set_str_slot, | |
112 NGX_HTTP_SRV_CONF_OFFSET, | |
113 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
114 NULL }, | |
115 | |
547 | 116 { ngx_string("ssl_prefer_server_ciphers"), |
117 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
118 ngx_conf_set_flag_slot, | |
119 NGX_HTTP_SRV_CONF_OFFSET, | |
120 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
121 NULL }, | |
122 | |
973 | 123 { ngx_string("ssl_session_cache"), |
124 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
125 ngx_http_ssl_session_cache, | |
126 NGX_HTTP_SRV_CONF_OFFSET, | |
127 0, | |
128 NULL }, | |
129 | |
573 | 130 { ngx_string("ssl_session_timeout"), |
131 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
132 ngx_conf_set_sec_slot, | |
133 NGX_HTTP_SRV_CONF_OFFSET, | |
134 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
135 NULL }, | |
136 | |
2995 | 137 { ngx_string("ssl_crl"), |
138 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
139 ngx_conf_set_str_slot, | |
140 NGX_HTTP_SRV_CONF_OFFSET, | |
141 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
142 NULL }, | |
143 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
144 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
145 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
146 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
147 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
148 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 149 ngx_http_ssl_add_variables, /* preconfiguration */ |
509 | 150 NULL, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
151 |
541 | 152 NULL, /* create main configuration */ |
153 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
154 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
155 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
156 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
157 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
158 NULL, /* create location configuration */ |
485 | 159 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
160 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
161 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
162 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
163 ngx_module_t ngx_http_ssl_module = { |
509 | 164 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
165 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
166 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
167 NGX_HTTP_MODULE, /* module type */ |
541 | 168 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
169 NULL, /* init module */ |
541 | 170 NULL, /* init process */ |
171 NULL, /* init thread */ | |
172 NULL, /* exit thread */ | |
173 NULL, /* exit process */ | |
174 NULL, /* exit master */ | |
175 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
176 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
177 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
178 |
611 | 179 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
180 | |
671 | 181 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 182 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 183 |
671 | 184 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 185 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 186 |
3154 | 187 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
188 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
189 | |
2045 | 190 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
191 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
192 | |
2123 | 193 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
194 (uintptr_t) ngx_ssl_get_raw_certificate, | |
195 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
196 | |
671 | 197 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 198 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 199 |
671 | 200 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 201 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 202 |
203 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
1565 | 204 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 205 |
2994 | 206 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
207 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
208 | |
637 | 209 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 210 }; |
211 | |
212 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
213 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 214 |
215 | |
216 static ngx_int_t | |
671 | 217 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 218 ngx_http_variable_value_t *v, uintptr_t data) |
219 { | |
671 | 220 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 221 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
222 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
223 ngx_str_t s; |
611 | 224 |
225 if (r->connection->ssl) { | |
226 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
227 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
228 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
229 v->data = s.data; |
611 | 230 |
671 | 231 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 232 |
233 v->len = len; | |
234 v->valid = 1; | |
1565 | 235 v->no_cacheable = 0; |
611 | 236 v->not_found = 0; |
237 | |
238 return NGX_OK; | |
239 } | |
240 | |
241 v->not_found = 1; | |
242 | |
243 return NGX_OK; | |
244 } | |
245 | |
246 | |
247 static ngx_int_t | |
671 | 248 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 249 uintptr_t data) |
250 { | |
671 | 251 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 252 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
253 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
254 |
647 | 255 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
256 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
257 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 258 return NGX_ERROR; |
259 } | |
260 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
261 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
262 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
263 |
647 | 264 if (v->len) { |
265 v->valid = 1; | |
1565 | 266 v->no_cacheable = 0; |
647 | 267 v->not_found = 0; |
268 | |
269 return NGX_OK; | |
270 } | |
271 } | |
272 | |
273 v->not_found = 1; | |
274 | |
275 return NGX_OK; | |
276 } | |
277 | |
278 | |
279 static ngx_int_t | |
611 | 280 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
281 { | |
282 ngx_http_variable_t *var, *v; | |
283 | |
284 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
285 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
286 if (var == NULL) { | |
287 return NGX_ERROR; | |
288 } | |
289 | |
637 | 290 var->get_handler = v->get_handler; |
611 | 291 var->data = v->data; |
292 } | |
293 | |
294 return NGX_OK; | |
295 } | |
296 | |
297 | |
501 | 298 static void * |
299 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
300 { |
971 | 301 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
302 |
971 | 303 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
304 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
305 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
306 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
307 |
479 | 308 /* |
309 * set by ngx_pcalloc(): | |
310 * | |
971 | 311 * sscf->protocols = 0; |
2044 | 312 * sscf->certificate = { 0, NULL }; |
313 * sscf->certificate_key = { 0, NULL }; | |
314 * sscf->dhparam = { 0, NULL }; | |
315 * sscf->client_certificate = { 0, NULL }; | |
2995 | 316 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
317 * sscf->ciphers = { 0, NULL }; |
973 | 318 * sscf->shm_zone = NULL; |
479 | 319 */ |
320 | |
971 | 321 sscf->enable = NGX_CONF_UNSET; |
2123 | 322 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
2710 | 323 sscf->verify = NGX_CONF_UNSET_UINT; |
324 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
973 | 325 sscf->builtin_session_cache = NGX_CONF_UNSET; |
326 sscf->session_timeout = NGX_CONF_UNSET; | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
327 |
971 | 328 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
329 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
330 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
331 |
501 | 332 static char * |
333 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
334 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
335 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
336 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
337 |
563 | 338 ngx_pool_cleanup_t *cln; |
339 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
340 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
341 |
573 | 342 ngx_conf_merge_value(conf->session_timeout, |
343 prev->session_timeout, 300); | |
344 | |
547 | 345 ngx_conf_merge_value(conf->prefer_server_ciphers, |
346 prev->prefer_server_ciphers, 0); | |
347 | |
348 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
3190
dd2ae3872634
disable SSLv2 and low ciphers by default
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
349 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); |
547 | 350 |
2123 | 351 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
352 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 353 |
2224 | 354 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
355 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
356 |
2044 | 357 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
358 | |
647 | 359 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
360 ""); | |
2995 | 361 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 362 |
2124 | 363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 364 |
365 | |
547 | 366 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
367 |
2224 | 368 if (conf->enable) { |
369 | |
370 if (conf->certificate.len == 0) { | |
371 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
372 "no \"ssl_certificate\" is defined for " | |
373 "the \"ssl\" directive in %s:%ui", | |
374 conf->file, conf->line); | |
375 return NGX_CONF_ERROR; | |
376 } | |
377 | |
378 if (conf->certificate_key.len == 0) { | |
379 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
380 "no \"ssl_certificate_key\" is defined for " | |
381 "the \"ssl\" directive in %s:%ui", | |
382 conf->file, conf->line); | |
383 return NGX_CONF_ERROR; | |
384 } | |
385 | |
386 } else { | |
387 | |
388 if (conf->certificate.len == 0) { | |
389 return NGX_CONF_OK; | |
390 } | |
391 | |
392 if (conf->certificate_key.len == 0) { | |
393 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
394 "no \"ssl_certificate_key\" is defined " | |
395 "for certificate \"%V\"", &conf->certificate); | |
396 return NGX_CONF_ERROR; | |
397 } | |
398 } | |
399 | |
969 | 400 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
401 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
402 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
403 |
1219 | 404 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
405 | |
406 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
407 ngx_http_ssl_servername) | |
408 == 0) | |
409 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
410 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 411 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
412 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
413 "therefore SNI is not available"); |
1219 | 414 } |
415 | |
416 #endif | |
417 | |
563 | 418 cln = ngx_pool_cleanup_add(cf->pool, 0); |
419 if (cln == NULL) { | |
509 | 420 return NGX_CONF_ERROR; |
421 } | |
422 | |
563 | 423 cln->handler = ngx_ssl_cleanup_ctx; |
424 cln->data = &conf->ssl; | |
425 | |
426 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
970 | 427 &conf->certificate_key) |
428 != NGX_OK) | |
529 | 429 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
430 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
431 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
432 |
547 | 433 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 434 (const char *) conf->ciphers.data) |
435 == 0) | |
529 | 436 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
437 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 438 "SSL_CTX_set_cipher_list(\"%V\") failed", |
439 &conf->ciphers); | |
440 } | |
441 | |
647 | 442 if (conf->verify) { |
2123 | 443 |
444 if (conf->client_certificate.len == 0) { | |
445 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
446 "no ssl_client_certificate for ssl_client_verify"); | |
447 return NGX_CONF_ERROR; | |
448 } | |
449 | |
671 | 450 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 451 &conf->client_certificate, |
452 conf->verify_depth) | |
671 | 453 != NGX_OK) |
454 { | |
455 return NGX_CONF_ERROR; | |
647 | 456 } |
2995 | 457 |
458 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | |
459 return NGX_CONF_ERROR; | |
460 } | |
647 | 461 } |
462 | |
547 | 463 if (conf->prefer_server_ciphers) { |
464 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
465 } | |
466 | |
467 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
468 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
469 |
2044 | 470 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
471 return NGX_CONF_ERROR; | |
472 } | |
473 | |
973 | 474 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 475 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 476 |
477 if (conf->shm_zone == NULL) { | |
478 conf->shm_zone = prev->shm_zone; | |
479 } | |
480 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
481 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
482 conf->builtin_session_cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
483 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
484 != NGX_OK) |
973 | 485 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
486 return NGX_CONF_ERROR; |
973 | 487 } |
573 | 488 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
489 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
490 } |
563 | 491 |
492 | |
973 | 493 static char * |
2224 | 494 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
495 { | |
496 ngx_http_ssl_srv_conf_t *sscf = conf; | |
497 | |
498 char *rv; | |
499 | |
500 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
501 | |
502 if (rv != NGX_CONF_OK) { | |
503 return rv; | |
504 } | |
505 | |
506 sscf->file = cf->conf_file->file.name.data; | |
507 sscf->line = cf->conf_file->line; | |
508 | |
509 return NGX_CONF_OK; | |
510 } | |
511 | |
512 | |
513 static char * | |
973 | 514 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
515 { | |
516 ngx_http_ssl_srv_conf_t *sscf = conf; | |
517 | |
518 size_t len; | |
519 ngx_str_t *value, name, size; | |
520 ngx_int_t n; | |
521 ngx_uint_t i, j; | |
522 | |
523 value = cf->args->elts; | |
524 | |
525 for (i = 1; i < cf->args->nelts; i++) { | |
526 | |
1778 | 527 if (ngx_strcmp(value[i].data, "off") == 0) { |
528 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
529 continue; | |
530 } | |
531 | |
2032 | 532 if (ngx_strcmp(value[i].data, "none") == 0) { |
533 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
534 continue; | |
535 } | |
536 | |
973 | 537 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
538 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 539 continue; |
540 } | |
541 | |
542 if (value[i].len > sizeof("builtin:") - 1 | |
543 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
544 == 0) | |
545 { | |
546 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
547 value[i].len - (sizeof("builtin:") - 1)); | |
548 | |
549 if (n == NGX_ERROR) { | |
550 goto invalid; | |
551 } | |
552 | |
553 sscf->builtin_session_cache = n; | |
554 | |
555 continue; | |
556 } | |
557 | |
558 if (value[i].len > sizeof("shared:") - 1 | |
559 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
560 == 0) | |
561 { | |
562 len = 0; | |
563 | |
564 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
565 if (value[i].data[j] == ':') { | |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
566 value[i].data[j] = '\0'; |
973 | 567 break; |
568 } | |
569 | |
570 len++; | |
571 } | |
572 | |
573 if (len == 0) { | |
574 goto invalid; | |
575 } | |
576 | |
577 name.len = len; | |
578 name.data = value[i].data + sizeof("shared:") - 1; | |
579 | |
580 size.len = value[i].len - j - 1; | |
581 size.data = name.data + len + 1; | |
582 | |
583 n = ngx_parse_size(&size); | |
584 | |
585 if (n == NGX_ERROR) { | |
586 goto invalid; | |
587 } | |
588 | |
589 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
590 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
591 "session cache \"%V\" is too small", |
973 | 592 &value[i]); |
593 | |
594 return NGX_CONF_ERROR; | |
595 } | |
596 | |
597 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
598 &ngx_http_ssl_module); | |
599 if (sscf->shm_zone == NULL) { | |
600 return NGX_CONF_ERROR; | |
601 } | |
602 | |
603 continue; | |
604 } | |
605 | |
606 goto invalid; | |
607 } | |
608 | |
609 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
610 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 611 } |
612 | |
613 return NGX_CONF_OK; | |
614 | |
615 invalid: | |
616 | |
617 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
618 "invalid session cache \"%V\"", &value[i]); | |
619 | |
620 return NGX_CONF_ERROR; | |
621 } |