Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 4904:c3b276283e4a stable-1.2
Merge of r4885: ssl_verify_client optional_no_ca.
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 13 Nov 2012 10:42:16 +0000 |
parents | d620f497c50f |
children | 2ff51c32791f |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
573 | 12 |
671 | 13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
14 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 15 |
16 | |
3960 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
671 | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 22 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 24 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 25 |
26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 29 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
30 |
2224 | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | |
973 | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | |
35 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 |
547 | 37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 43 { ngx_null_string, 0 } |
44 }; | |
45 | |
46 | |
2123 | 47 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
48 { ngx_string("off"), 0 }, | |
49 { ngx_string("on"), 1 }, | |
2994 | 50 { ngx_string("optional"), 2 }, |
4904
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
51 { ngx_string("optional_no_ca"), 3 }, |
2123 | 52 { ngx_null_string, 0 } |
53 }; | |
54 | |
55 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
56 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
57 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
58 { ngx_string("ssl"), |
599 | 59 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 60 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
65 { ngx_string("ssl_certificate"), |
599 | 66 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 { ngx_string("ssl_certificate_key"), |
599 | 73 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
74 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
75 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
76 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
77 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
78 |
2044 | 79 { ngx_string("ssl_dhparam"), |
80 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
81 ngx_conf_set_str_slot, | |
82 NGX_HTTP_SRV_CONF_OFFSET, | |
83 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
84 NULL }, | |
85 | |
3960 | 86 { ngx_string("ssl_ecdh_curve"), |
87 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
88 ngx_conf_set_str_slot, | |
89 NGX_HTTP_SRV_CONF_OFFSET, | |
90 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
91 NULL }, | |
92 | |
547 | 93 { ngx_string("ssl_protocols"), |
563 | 94 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 95 ngx_conf_set_bitmask_slot, |
96 NGX_HTTP_SRV_CONF_OFFSET, | |
97 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
98 &ngx_http_ssl_protocols }, | |
99 | |
479 | 100 { ngx_string("ssl_ciphers"), |
563 | 101 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 102 ngx_conf_set_str_slot, |
103 NGX_HTTP_SRV_CONF_OFFSET, | |
104 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
105 NULL }, | |
106 | |
647 | 107 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
108 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 109 ngx_conf_set_enum_slot, |
647 | 110 NGX_HTTP_SRV_CONF_OFFSET, |
111 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 112 &ngx_http_ssl_verify }, |
647 | 113 |
114 { ngx_string("ssl_verify_depth"), | |
115 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
116 ngx_conf_set_num_slot, | |
117 NGX_HTTP_SRV_CONF_OFFSET, | |
118 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
119 NULL }, | |
120 | |
121 { ngx_string("ssl_client_certificate"), | |
122 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
123 ngx_conf_set_str_slot, | |
124 NGX_HTTP_SRV_CONF_OFFSET, | |
125 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
126 NULL }, | |
127 | |
547 | 128 { ngx_string("ssl_prefer_server_ciphers"), |
129 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
130 ngx_conf_set_flag_slot, | |
131 NGX_HTTP_SRV_CONF_OFFSET, | |
132 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
133 NULL }, | |
134 | |
973 | 135 { ngx_string("ssl_session_cache"), |
136 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
137 ngx_http_ssl_session_cache, | |
138 NGX_HTTP_SRV_CONF_OFFSET, | |
139 0, | |
140 NULL }, | |
141 | |
573 | 142 { ngx_string("ssl_session_timeout"), |
143 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
144 ngx_conf_set_sec_slot, | |
145 NGX_HTTP_SRV_CONF_OFFSET, | |
146 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
147 NULL }, | |
148 | |
2995 | 149 { ngx_string("ssl_crl"), |
150 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
151 ngx_conf_set_str_slot, | |
152 NGX_HTTP_SRV_CONF_OFFSET, | |
153 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
154 NULL }, | |
155 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
156 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
157 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
158 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
159 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
160 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 161 ngx_http_ssl_add_variables, /* preconfiguration */ |
509 | 162 NULL, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 |
541 | 164 NULL, /* create main configuration */ |
165 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
166 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
167 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
168 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
169 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
170 NULL, /* create location configuration */ |
485 | 171 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
172 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
173 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
174 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
175 ngx_module_t ngx_http_ssl_module = { |
509 | 176 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
177 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
178 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
179 NGX_HTTP_MODULE, /* module type */ |
541 | 180 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
181 NULL, /* init module */ |
541 | 182 NULL, /* init process */ |
183 NULL, /* init thread */ | |
184 NULL, /* exit thread */ | |
185 NULL, /* exit process */ | |
186 NULL, /* exit master */ | |
187 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
188 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
189 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
190 |
611 | 191 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
192 | |
671 | 193 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 194 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 195 |
671 | 196 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 197 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 198 |
3154 | 199 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
200 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
201 | |
2045 | 202 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
203 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
204 | |
2123 | 205 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
206 (uintptr_t) ngx_ssl_get_raw_certificate, | |
207 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
208 | |
671 | 209 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 210 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 211 |
671 | 212 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 213 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 214 |
215 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
1565 | 216 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 217 |
2994 | 218 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
219 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
220 | |
637 | 221 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 222 }; |
223 | |
224 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
225 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 226 |
227 | |
228 static ngx_int_t | |
671 | 229 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 230 ngx_http_variable_value_t *v, uintptr_t data) |
231 { | |
671 | 232 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 233 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
234 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
235 ngx_str_t s; |
611 | 236 |
237 if (r->connection->ssl) { | |
238 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
239 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
240 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
241 v->data = s.data; |
611 | 242 |
671 | 243 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 244 |
245 v->len = len; | |
246 v->valid = 1; | |
1565 | 247 v->no_cacheable = 0; |
611 | 248 v->not_found = 0; |
249 | |
250 return NGX_OK; | |
251 } | |
252 | |
253 v->not_found = 1; | |
254 | |
255 return NGX_OK; | |
256 } | |
257 | |
258 | |
259 static ngx_int_t | |
671 | 260 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 261 uintptr_t data) |
262 { | |
671 | 263 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 264 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
265 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
266 |
647 | 267 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
268 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
269 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 270 return NGX_ERROR; |
271 } | |
272 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
273 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
274 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
275 |
647 | 276 if (v->len) { |
277 v->valid = 1; | |
1565 | 278 v->no_cacheable = 0; |
647 | 279 v->not_found = 0; |
280 | |
281 return NGX_OK; | |
282 } | |
283 } | |
284 | |
285 v->not_found = 1; | |
286 | |
287 return NGX_OK; | |
288 } | |
289 | |
290 | |
291 static ngx_int_t | |
611 | 292 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
293 { | |
294 ngx_http_variable_t *var, *v; | |
295 | |
296 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
297 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
298 if (var == NULL) { | |
299 return NGX_ERROR; | |
300 } | |
301 | |
637 | 302 var->get_handler = v->get_handler; |
611 | 303 var->data = v->data; |
304 } | |
305 | |
306 return NGX_OK; | |
307 } | |
308 | |
309 | |
501 | 310 static void * |
311 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
312 { |
971 | 313 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
314 |
971 | 315 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
316 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
317 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
318 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
319 |
479 | 320 /* |
321 * set by ngx_pcalloc(): | |
322 * | |
971 | 323 * sscf->protocols = 0; |
2044 | 324 * sscf->certificate = { 0, NULL }; |
325 * sscf->certificate_key = { 0, NULL }; | |
326 * sscf->dhparam = { 0, NULL }; | |
3960 | 327 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 328 * sscf->client_certificate = { 0, NULL }; |
2995 | 329 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
330 * sscf->ciphers = { 0, NULL }; |
973 | 331 * sscf->shm_zone = NULL; |
479 | 332 */ |
333 | |
971 | 334 sscf->enable = NGX_CONF_UNSET; |
2123 | 335 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
2710 | 336 sscf->verify = NGX_CONF_UNSET_UINT; |
337 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
973 | 338 sscf->builtin_session_cache = NGX_CONF_UNSET; |
339 sscf->session_timeout = NGX_CONF_UNSET; | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
340 |
971 | 341 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
342 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
343 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
344 |
501 | 345 static char * |
346 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
347 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
348 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
349 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
350 |
563 | 351 ngx_pool_cleanup_t *cln; |
352 | |
4234
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
353 if (conf->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
354 if (prev->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
355 conf->enable = 0; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
356 |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
357 } else { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
358 conf->enable = prev->enable; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
359 conf->file = prev->file; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
360 conf->line = prev->line; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
361 } |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
362 } |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
363 |
573 | 364 ngx_conf_merge_value(conf->session_timeout, |
365 prev->session_timeout, 300); | |
366 | |
547 | 367 ngx_conf_merge_value(conf->prefer_server_ciphers, |
368 prev->prefer_server_ciphers, 0); | |
369 | |
370 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
371 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
372 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 373 |
2123 | 374 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
375 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 376 |
2224 | 377 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
378 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
379 |
2044 | 380 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
381 | |
647 | 382 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
383 ""); | |
2995 | 384 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 385 |
3960 | 386 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
387 NGX_DEFAULT_ECDH_CURVE); | |
388 | |
2124 | 389 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 390 |
391 | |
547 | 392 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
393 |
2224 | 394 if (conf->enable) { |
395 | |
396 if (conf->certificate.len == 0) { | |
397 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
398 "no \"ssl_certificate\" is defined for " | |
399 "the \"ssl\" directive in %s:%ui", | |
400 conf->file, conf->line); | |
401 return NGX_CONF_ERROR; | |
402 } | |
403 | |
404 if (conf->certificate_key.len == 0) { | |
405 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
406 "no \"ssl_certificate_key\" is defined for " | |
407 "the \"ssl\" directive in %s:%ui", | |
408 conf->file, conf->line); | |
409 return NGX_CONF_ERROR; | |
410 } | |
411 | |
412 } else { | |
413 | |
414 if (conf->certificate.len == 0) { | |
415 return NGX_CONF_OK; | |
416 } | |
417 | |
418 if (conf->certificate_key.len == 0) { | |
419 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
420 "no \"ssl_certificate_key\" is defined " | |
421 "for certificate \"%V\"", &conf->certificate); | |
422 return NGX_CONF_ERROR; | |
423 } | |
424 } | |
425 | |
969 | 426 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
427 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
428 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
429 |
1219 | 430 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
431 | |
432 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
433 ngx_http_ssl_servername) | |
434 == 0) | |
435 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
436 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 437 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
438 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
439 "therefore SNI is not available"); |
1219 | 440 } |
441 | |
442 #endif | |
443 | |
563 | 444 cln = ngx_pool_cleanup_add(cf->pool, 0); |
445 if (cln == NULL) { | |
509 | 446 return NGX_CONF_ERROR; |
447 } | |
448 | |
563 | 449 cln->handler = ngx_ssl_cleanup_ctx; |
450 cln->data = &conf->ssl; | |
451 | |
452 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
970 | 453 &conf->certificate_key) |
454 != NGX_OK) | |
529 | 455 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
456 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
457 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
458 |
547 | 459 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 460 (const char *) conf->ciphers.data) |
461 == 0) | |
529 | 462 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
463 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 464 "SSL_CTX_set_cipher_list(\"%V\") failed", |
465 &conf->ciphers); | |
466 } | |
467 | |
647 | 468 if (conf->verify) { |
2123 | 469 |
4904
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
470 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
2123 | 471 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
472 "no ssl_client_certificate for ssl_client_verify"); | |
473 return NGX_CONF_ERROR; | |
474 } | |
475 | |
671 | 476 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 477 &conf->client_certificate, |
478 conf->verify_depth) | |
671 | 479 != NGX_OK) |
480 { | |
481 return NGX_CONF_ERROR; | |
647 | 482 } |
2995 | 483 |
484 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | |
485 return NGX_CONF_ERROR; | |
486 } | |
647 | 487 } |
488 | |
547 | 489 if (conf->prefer_server_ciphers) { |
490 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
491 } | |
492 | |
493 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
494 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
495 |
2044 | 496 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
497 return NGX_CONF_ERROR; | |
498 } | |
499 | |
3960 | 500 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
501 return NGX_CONF_ERROR; | |
502 } | |
503 | |
973 | 504 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 505 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 506 |
507 if (conf->shm_zone == NULL) { | |
508 conf->shm_zone = prev->shm_zone; | |
509 } | |
510 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
511 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
512 conf->builtin_session_cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
513 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
514 != NGX_OK) |
973 | 515 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
516 return NGX_CONF_ERROR; |
973 | 517 } |
573 | 518 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
519 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
520 } |
563 | 521 |
522 | |
973 | 523 static char * |
2224 | 524 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
525 { | |
526 ngx_http_ssl_srv_conf_t *sscf = conf; | |
527 | |
528 char *rv; | |
529 | |
530 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
531 | |
532 if (rv != NGX_CONF_OK) { | |
533 return rv; | |
534 } | |
535 | |
536 sscf->file = cf->conf_file->file.name.data; | |
537 sscf->line = cf->conf_file->line; | |
538 | |
539 return NGX_CONF_OK; | |
540 } | |
541 | |
542 | |
543 static char * | |
973 | 544 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
545 { | |
546 ngx_http_ssl_srv_conf_t *sscf = conf; | |
547 | |
548 size_t len; | |
549 ngx_str_t *value, name, size; | |
550 ngx_int_t n; | |
551 ngx_uint_t i, j; | |
552 | |
553 value = cf->args->elts; | |
554 | |
555 for (i = 1; i < cf->args->nelts; i++) { | |
556 | |
1778 | 557 if (ngx_strcmp(value[i].data, "off") == 0) { |
558 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
559 continue; | |
560 } | |
561 | |
2032 | 562 if (ngx_strcmp(value[i].data, "none") == 0) { |
563 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
564 continue; | |
565 } | |
566 | |
973 | 567 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
568 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 569 continue; |
570 } | |
571 | |
572 if (value[i].len > sizeof("builtin:") - 1 | |
573 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
574 == 0) | |
575 { | |
576 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
577 value[i].len - (sizeof("builtin:") - 1)); | |
578 | |
579 if (n == NGX_ERROR) { | |
580 goto invalid; | |
581 } | |
582 | |
583 sscf->builtin_session_cache = n; | |
584 | |
585 continue; | |
586 } | |
587 | |
588 if (value[i].len > sizeof("shared:") - 1 | |
589 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
590 == 0) | |
591 { | |
592 len = 0; | |
593 | |
594 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
595 if (value[i].data[j] == ':') { | |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
596 value[i].data[j] = '\0'; |
973 | 597 break; |
598 } | |
599 | |
600 len++; | |
601 } | |
602 | |
603 if (len == 0) { | |
604 goto invalid; | |
605 } | |
606 | |
607 name.len = len; | |
608 name.data = value[i].data + sizeof("shared:") - 1; | |
609 | |
610 size.len = value[i].len - j - 1; | |
611 size.data = name.data + len + 1; | |
612 | |
613 n = ngx_parse_size(&size); | |
614 | |
615 if (n == NGX_ERROR) { | |
616 goto invalid; | |
617 } | |
618 | |
619 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
620 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
621 "session cache \"%V\" is too small", |
973 | 622 &value[i]); |
623 | |
624 return NGX_CONF_ERROR; | |
625 } | |
626 | |
627 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
628 &ngx_http_ssl_module); | |
629 if (sscf->shm_zone == NULL) { | |
630 return NGX_CONF_ERROR; | |
631 } | |
632 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
633 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
634 |
973 | 635 continue; |
636 } | |
637 | |
638 goto invalid; | |
639 } | |
640 | |
641 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
642 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 643 } |
644 | |
645 return NGX_CONF_OK; | |
646 | |
647 invalid: | |
648 | |
649 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
650 "invalid session cache \"%V\"", &value[i]); | |
651 | |
652 return NGX_CONF_ERROR; | |
653 } |