nginx: src/http/modules/ngx_http_ssl

annotate src/http/modules/ngx_http_ssl_module.h @ 5503:d049b0ea00a3

SSL: ssl_session_tickets directive. This adds support so it's possible to explicitly disable SSL Session Tickets. In order to have good Forward Secrecy support either the session ticket key has to be reloaded by using nginx' binary upgrade process or using an external key file and reloading the configuration. This directive adds another possibility to have good support by disabling session tickets altogether. If session tickets are enabled and the process lives for a long a time, an attacker can grab the session ticket from the process and use that to decrypt any traffic that occured during the entire lifetime of the process.

author	Dirkjan Bussink <d.bussink@gmail.com>
date	Fri, 10 Jan 2014 16:12:40 +0100
parents	a297b7ad6f94
children	42114bf12da0

rev	line source
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2 /*
444 42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright Igor Sysoev <igor@sysoev.ru> parents: 441 diff changeset	3 * Copyright (C) Igor Sysoev
4412 d620f497c50f Copyright updated. Maxim Konovalov <maxim@nginx.com> parents: 3960 diff changeset	4 * Copyright (C) Nginx, Inc.
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	6
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	7
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	8 #ifndef _NGX_HTTP_SSL_H_INCLUDED_
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	9 #define _NGX_HTTP_SSL_H_INCLUDED_
383 c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	10
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	11
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	12 #include <ngx_config.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	13 #include <ngx_core.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	14 #include <ngx_http.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	15
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	16
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	17 typedef struct {
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	18 ngx_flag_t enable;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	19
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	20 ngx_ssl_t ssl;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	21
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	22 ngx_flag_t prefer_server_ciphers;
573 58475592100c nginx-0.3.8-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 547 diff changeset	23
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	24 ngx_uint_t protocols;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	25
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2044 diff changeset	26 ngx_uint_t verify;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2044 diff changeset	27 ngx_uint_t verify_depth;
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	28
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	29 size_t buffer_size;
a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	30
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	31 ssize_t builtin_session_cache;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: 392 diff changeset	32
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	33 time_t session_timeout;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	34
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	35 ngx_str_t certificate;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	36 ngx_str_t certificate_key;
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 974 diff changeset	37 ngx_str_t dhparam;
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 2995 diff changeset	38 ngx_str_t ecdh_curve;
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	39 ngx_str_t client_certificate;
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4412 diff changeset	40 ngx_str_t trusted_certificate;
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2224 diff changeset	41 ngx_str_t crl;
973 e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	42
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	43 ngx_str_t ciphers;
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	44
e1ede83911ef ssl_session_cache Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	45 ngx_shm_zone_t *shm_zone;
2224 109849282793 ) listen ssl Igor Sysoev <igor@sysoev.ru>* parents: 2123 diff changeset	46
5503 d049b0ea00a3 SSL: ssl_session_tickets directive. Dirkjan Bussink <d.bussink@gmail.com> parents: 5487 diff changeset	47 ngx_flag_t session_tickets;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 4879 diff changeset	48 ngx_array_t *session_ticket_keys;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 4879 diff changeset	49
4873 dd74fd35ceb5 OCSP stapling: ssl_stapling_file support. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	50 ngx_flag_t stapling;
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	51 ngx_flag_t stapling_verify;
4873 dd74fd35ceb5 OCSP stapling: ssl_stapling_file support. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	52 ngx_str_t stapling_file;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4873 diff changeset	53 ngx_str_t stapling_responder;
4873 dd74fd35ceb5 OCSP stapling: ssl_stapling_file support. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	54
2224 109849282793 ) listen ssl Igor Sysoev <igor@sysoev.ru>* parents: 2123 diff changeset	55 u_char *file;
109849282793 ) listen ssl Igor Sysoev <igor@sysoev.ru>* parents: 2123 diff changeset	56 ngx_uint_t line;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: 392 diff changeset	57 } ngx_http_ssl_srv_conf_t;
386 fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import Igor Sysoev <igor@sysoev.ru> parents: 384 diff changeset	58
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import Igor Sysoev <igor@sysoev.ru> parents: 384 diff changeset	59
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	60 extern ngx_module_t ngx_http_ssl_module;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: 392 diff changeset	61
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: 392 diff changeset	62
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	63 #endif /* _NGX_HTTP_SSL_H_INCLUDED_ */

Mercurial > hg > nginx

annotate src/http/modules/ngx_http_ssl_module.h @ 5503:d049b0ea00a3