Mercurial > hg > nginx
annotate src/mail/ngx_mail_ssl_module.c @ 5503:d049b0ea00a3
SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.
If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
| author | Dirkjan Bussink <d.bussink@gmail.com> |
|---|---|
| date | Fri, 10 Jan 2014 16:12:40 +0100 |
| parents | 1356a3b96924 |
| children | 42114bf12da0 |
| rev | line source |
|---|---|
| 539 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 539 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 1136 | 10 #include <ngx_mail.h> |
| 539 | 11 |
| 12 | |
| 3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
| 14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
| 539 | 15 |
| 16 | |
| 1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
| 18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
| 2224 | 19 |
| 20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 21 void *conf); | |
| 22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 23 void *conf); | |
| 1136 | 24 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 976 | 25 void *conf); |
| 539 | 26 |
| 27 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
28 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
| 1136 | 29 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
| 30 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
| 31 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
| 583 | 32 { ngx_null_string, 0 } |
| 33 }; | |
| 34 | |
| 35 | |
| 36 | |
| 1136 | 37 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
| 547 | 38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| 547 | 43 { ngx_null_string, 0 } |
| 44 }; | |
| 45 | |
| 46 | |
| 1136 | 47 static ngx_command_t ngx_mail_ssl_commands[] = { |
| 539 | 48 |
| 49 { ngx_string("ssl"), | |
| 1136 | 50 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 2224 | 51 ngx_mail_ssl_enable, |
| 1136 | 52 NGX_MAIL_SRV_CONF_OFFSET, |
| 53 offsetof(ngx_mail_ssl_conf_t, enable), | |
| 539 | 54 NULL }, |
| 55 | |
| 583 | 56 { ngx_string("starttls"), |
| 1136 | 57 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 2224 | 58 ngx_mail_ssl_starttls, |
| 1136 | 59 NGX_MAIL_SRV_CONF_OFFSET, |
| 60 offsetof(ngx_mail_ssl_conf_t, starttls), | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
61 ngx_mail_starttls_state }, |
| 583 | 62 |
| 539 | 63 { ngx_string("ssl_certificate"), |
| 1136 | 64 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 65 ngx_conf_set_str_slot, |
| 1136 | 66 NGX_MAIL_SRV_CONF_OFFSET, |
| 67 offsetof(ngx_mail_ssl_conf_t, certificate), | |
| 539 | 68 NULL }, |
| 69 | |
| 70 { ngx_string("ssl_certificate_key"), | |
| 1136 | 71 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 72 ngx_conf_set_str_slot, |
| 1136 | 73 NGX_MAIL_SRV_CONF_OFFSET, |
| 74 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
| 539 | 75 NULL }, |
| 76 | |
| 2044 | 77 { ngx_string("ssl_dhparam"), |
| 78 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 79 ngx_conf_set_str_slot, | |
| 80 NGX_MAIL_SRV_CONF_OFFSET, | |
| 81 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
| 82 NULL }, | |
| 83 | |
| 3960 | 84 { ngx_string("ssl_ecdh_curve"), |
| 85 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
| 86 ngx_conf_set_str_slot, | |
| 87 NGX_MAIL_SRV_CONF_OFFSET, | |
| 88 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
| 89 NULL }, | |
| 90 | |
| 547 | 91 { ngx_string("ssl_protocols"), |
| 1136 | 92 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
| 547 | 93 ngx_conf_set_bitmask_slot, |
| 1136 | 94 NGX_MAIL_SRV_CONF_OFFSET, |
| 95 offsetof(ngx_mail_ssl_conf_t, protocols), | |
| 96 &ngx_mail_ssl_protocols }, | |
| 547 | 97 |
| 539 | 98 { ngx_string("ssl_ciphers"), |
| 1136 | 99 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 539 | 100 ngx_conf_set_str_slot, |
| 1136 | 101 NGX_MAIL_SRV_CONF_OFFSET, |
| 102 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
| 539 | 103 NULL }, |
| 104 | |
| 547 | 105 { ngx_string("ssl_prefer_server_ciphers"), |
| 1136 | 106 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
| 547 | 107 ngx_conf_set_flag_slot, |
| 1136 | 108 NGX_MAIL_SRV_CONF_OFFSET, |
| 109 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
| 547 | 110 NULL }, |
| 563 | 111 |
| 976 | 112 { ngx_string("ssl_session_cache"), |
| 1136 | 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 114 ngx_mail_ssl_session_cache, | |
| 115 NGX_MAIL_SRV_CONF_OFFSET, | |
| 976 | 116 0, |
| 117 NULL }, | |
| 118 | |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
119 { ngx_string("ssl_session_tickets"), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
121 ngx_conf_set_flag_slot, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
122 NGX_MAIL_SRV_CONF_OFFSET, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
123 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
124 NULL }, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
125 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
126 { ngx_string("ssl_session_ticket_key"), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
127 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
128 ngx_conf_set_str_array_slot, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
129 NGX_MAIL_SRV_CONF_OFFSET, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
130 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
131 NULL }, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
132 |
| 573 | 133 { ngx_string("ssl_session_timeout"), |
| 1136 | 134 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 573 | 135 ngx_conf_set_sec_slot, |
| 1136 | 136 NGX_MAIL_SRV_CONF_OFFSET, |
| 137 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
| 573 | 138 NULL }, |
| 547 | 139 |
| 539 | 140 ngx_null_command |
| 141 }; | |
| 142 | |
| 143 | |
| 1136 | 144 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
|
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
145 NULL, /* protocol */ |
|
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
146 |
| 539 | 147 NULL, /* create main configuration */ |
| 148 NULL, /* init main configuration */ | |
| 149 | |
| 1136 | 150 ngx_mail_ssl_create_conf, /* create server configuration */ |
| 151 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
| 539 | 152 }; |
| 153 | |
| 154 | |
| 1136 | 155 ngx_module_t ngx_mail_ssl_module = { |
| 539 | 156 NGX_MODULE_V1, |
| 1136 | 157 &ngx_mail_ssl_module_ctx, /* module context */ |
| 158 ngx_mail_ssl_commands, /* module directives */ | |
| 159 NGX_MAIL_MODULE, /* module type */ | |
| 541 | 160 NULL, /* init master */ |
| 539 | 161 NULL, /* init module */ |
| 541 | 162 NULL, /* init process */ |
| 163 NULL, /* init thread */ | |
| 164 NULL, /* exit thread */ | |
| 165 NULL, /* exit process */ | |
| 166 NULL, /* exit master */ | |
| 167 NGX_MODULE_V1_PADDING | |
| 539 | 168 }; |
| 169 | |
| 170 | |
| 1136 | 171 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
| 543 | 172 |
| 173 | |
| 539 | 174 static void * |
| 1136 | 175 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
| 577 | 176 { |
| 1136 | 177 ngx_mail_ssl_conf_t *scf; |
| 577 | 178 |
| 1136 | 179 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
| 539 | 180 if (scf == NULL) { |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
181 return NULL; |
| 539 | 182 } |
| 183 | |
| 184 /* | |
| 577 | 185 * set by ngx_pcalloc(): |
| 539 | 186 * |
| 547 | 187 * scf->protocols = 0; |
| 2044 | 188 * scf->certificate = { 0, NULL }; |
| 189 * scf->certificate_key = { 0, NULL }; | |
| 190 * scf->dhparam = { 0, NULL }; | |
| 3960 | 191 * scf->ecdh_curve = { 0, NULL }; |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
192 * scf->ciphers = { 0, NULL }; |
| 976 | 193 * scf->shm_zone = NULL; |
| 539 | 194 */ |
| 195 | |
| 196 scf->enable = NGX_CONF_UNSET; | |
| 2759 | 197 scf->starttls = NGX_CONF_UNSET_UINT; |
| 976 | 198 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 199 scf->builtin_session_cache = NGX_CONF_UNSET; | |
| 573 | 200 scf->session_timeout = NGX_CONF_UNSET; |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
201 scf->session_tickets = NGX_CONF_UNSET; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
202 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 539 | 203 |
| 204 return scf; | |
| 205 } | |
| 206 | |
| 207 | |
| 208 static char * | |
| 1136 | 209 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
| 539 | 210 { |
| 1136 | 211 ngx_mail_ssl_conf_t *prev = parent; |
| 212 ngx_mail_ssl_conf_t *conf = child; | |
| 539 | 213 |
| 2224 | 214 char *mode; |
| 563 | 215 ngx_pool_cleanup_t *cln; |
| 216 | |
| 539 | 217 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
| 2224 | 218 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
| 219 NGX_MAIL_STARTTLS_OFF); | |
| 539 | 220 |
| 573 | 221 ngx_conf_merge_value(conf->session_timeout, |
| 222 prev->session_timeout, 300); | |
| 223 | |
| 547 | 224 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 225 prev->prefer_server_ciphers, 0); | |
| 226 | |
| 227 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
228 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
229 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 547 | 230 |
| 2224 | 231 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
| 232 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
| 539 | 233 |
| 2044 | 234 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 235 | |
| 3960 | 236 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 237 NGX_DEFAULT_ECDH_CURVE); | |
| 238 | |
| 2124 | 239 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 539 | 240 |
| 241 | |
| 547 | 242 conf->ssl.log = cf->log; |
| 539 | 243 |
| 2224 | 244 if (conf->enable) { |
| 245 mode = "ssl"; | |
| 246 | |
| 247 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
| 248 mode = "starttls"; | |
| 249 | |
| 250 } else { | |
| 251 mode = ""; | |
| 252 } | |
| 253 | |
|
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
254 if (conf->file == NULL) { |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
255 conf->file = prev->file; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
256 conf->line = prev->line; |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
257 } |
|
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
258 |
| 2224 | 259 if (*mode) { |
| 260 | |
| 261 if (conf->certificate.len == 0) { | |
| 262 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 263 "no \"ssl_certificate\" is defined for " | |
| 264 "the \"%s\" directive in %s:%ui", | |
| 265 mode, conf->file, conf->line); | |
| 266 return NGX_CONF_ERROR; | |
| 267 } | |
| 268 | |
| 269 if (conf->certificate_key.len == 0) { | |
| 270 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 271 "no \"ssl_certificate_key\" is defined for " | |
| 272 "the \"%s\" directive in %s:%ui", | |
| 273 mode, conf->file, conf->line); | |
| 274 return NGX_CONF_ERROR; | |
| 275 } | |
| 276 | |
| 277 } else { | |
| 278 | |
| 279 if (conf->certificate.len == 0) { | |
| 280 return NGX_CONF_OK; | |
| 281 } | |
| 282 | |
| 283 if (conf->certificate_key.len == 0) { | |
| 284 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 285 "no \"ssl_certificate_key\" is defined " | |
| 286 "for certificate \"%V\"", | |
| 287 &conf->certificate); | |
| 288 return NGX_CONF_ERROR; | |
| 289 } | |
| 290 } | |
| 291 | |
| 969 | 292 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 539 | 293 return NGX_CONF_ERROR; |
| 294 } | |
| 295 | |
| 563 | 296 cln = ngx_pool_cleanup_add(cf->pool, 0); |
| 297 if (cln == NULL) { | |
| 539 | 298 return NGX_CONF_ERROR; |
| 299 } | |
| 300 | |
| 563 | 301 cln->handler = ngx_ssl_cleanup_ctx; |
| 302 cln->data = &conf->ssl; | |
| 303 | |
| 304 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
| 305 &conf->certificate_key) | |
| 306 != NGX_OK) | |
| 547 | 307 { |
| 308 return NGX_CONF_ERROR; | |
| 309 } | |
| 539 | 310 |
|
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
311 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
312 (const char *) conf->ciphers.data) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
313 == 0) |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
314 { |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
315 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
316 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
317 &conf->ciphers); |
|
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
318 return NGX_CONF_ERROR; |
| 539 | 319 } |
| 320 | |
| 563 | 321 if (conf->prefer_server_ciphers) { |
| 322 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
| 323 } | |
| 324 | |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
325 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
| 539 | 326 |
| 2044 | 327 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 328 return NGX_CONF_ERROR; | |
| 329 } | |
| 330 | |
|
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
331 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
332 return NGX_CONF_ERROR; |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
333 } |
|
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
334 |
| 976 | 335 ngx_conf_merge_value(conf->builtin_session_cache, |
| 2032 | 336 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
| 976 | 337 |
| 338 if (conf->shm_zone == NULL) { | |
| 339 conf->shm_zone = prev->shm_zone; | |
| 340 } | |
| 539 | 341 |
| 1136 | 342 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
| 976 | 343 conf->builtin_session_cache, |
| 344 conf->shm_zone, conf->session_timeout) | |
| 345 != NGX_OK) | |
| 346 { | |
| 347 return NGX_CONF_ERROR; | |
| 348 } | |
| 573 | 349 |
|
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
350 ngx_conf_merge_value(conf->session_tickets, |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
351 prev->session_tickets, 1); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
352 |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
353 #ifdef SSL_OP_NO_TICKET |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
354 if (!conf->session_tickets) { |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
355 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
356 } |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
357 #endif |
|
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
358 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
359 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
360 prev->session_ticket_keys, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
361 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
362 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
363 != NGX_OK) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
364 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
365 return NGX_CONF_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
366 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
367 |
| 539 | 368 return NGX_CONF_OK; |
| 369 } | |
| 563 | 370 |
| 577 | 371 |
| 976 | 372 static char * |
| 2224 | 373 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 374 { | |
| 375 ngx_mail_ssl_conf_t *scf = conf; | |
| 376 | |
| 377 char *rv; | |
| 378 | |
| 379 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
| 380 | |
| 381 if (rv != NGX_CONF_OK) { | |
| 382 return rv; | |
| 383 } | |
| 384 | |
| 385 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 386 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 387 "\"starttls\" directive conflicts with \"ssl on\""); | |
| 388 return NGX_CONF_ERROR; | |
| 389 } | |
| 390 | |
| 391 scf->file = cf->conf_file->file.name.data; | |
| 392 scf->line = cf->conf_file->line; | |
| 393 | |
| 394 return NGX_CONF_OK; | |
| 395 } | |
| 396 | |
| 397 | |
| 398 static char * | |
| 399 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 400 { | |
| 401 ngx_mail_ssl_conf_t *scf = conf; | |
| 402 | |
| 403 char *rv; | |
| 404 | |
| 405 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
| 406 | |
| 407 if (rv != NGX_CONF_OK) { | |
| 408 return rv; | |
| 409 } | |
| 410 | |
| 411 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
| 412 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
| 413 "\"ssl\" directive conflicts with \"starttls\""); | |
| 414 return NGX_CONF_ERROR; | |
| 415 } | |
| 416 | |
| 417 scf->file = cf->conf_file->file.name.data; | |
| 418 scf->line = cf->conf_file->line; | |
| 419 | |
| 420 return NGX_CONF_OK; | |
| 421 } | |
| 422 | |
| 423 | |
| 424 static char * | |
| 1136 | 425 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 976 | 426 { |
| 1136 | 427 ngx_mail_ssl_conf_t *scf = conf; |
| 976 | 428 |
| 429 size_t len; | |
| 430 ngx_str_t *value, name, size; | |
| 431 ngx_int_t n; | |
| 432 ngx_uint_t i, j; | |
| 433 | |
| 434 value = cf->args->elts; | |
| 435 | |
| 436 for (i = 1; i < cf->args->nelts; i++) { | |
| 437 | |
| 1778 | 438 if (ngx_strcmp(value[i].data, "off") == 0) { |
| 439 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 440 continue; | |
| 441 } | |
| 442 | |
| 2032 | 443 if (ngx_strcmp(value[i].data, "none") == 0) { |
| 444 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 445 continue; | |
| 446 } | |
| 447 | |
| 976 | 448 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
| 449 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 450 continue; | |
| 451 } | |
| 452 | |
| 453 if (value[i].len > sizeof("builtin:") - 1 | |
| 454 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 455 == 0) | |
| 456 { | |
| 457 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 458 value[i].len - (sizeof("builtin:") - 1)); | |
| 459 | |
| 460 if (n == NGX_ERROR) { | |
| 461 goto invalid; | |
| 462 } | |
| 463 | |
| 464 scf->builtin_session_cache = n; | |
| 465 | |
| 466 continue; | |
| 467 } | |
| 468 | |
| 469 if (value[i].len > sizeof("shared:") - 1 | |
| 470 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 471 == 0) | |
| 472 { | |
| 473 len = 0; | |
| 474 | |
| 475 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 476 if (value[i].data[j] == ':') { | |
| 477 break; | |
| 478 } | |
| 479 | |
| 480 len++; | |
| 481 } | |
| 482 | |
| 483 if (len == 0) { | |
| 484 goto invalid; | |
| 485 } | |
| 486 | |
| 487 name.len = len; | |
| 488 name.data = value[i].data + sizeof("shared:") - 1; | |
| 489 | |
| 490 size.len = value[i].len - j - 1; | |
| 491 size.data = name.data + len + 1; | |
| 492 | |
| 493 n = ngx_parse_size(&size); | |
| 494 | |
| 495 if (n == NGX_ERROR) { | |
| 496 goto invalid; | |
| 497 } | |
| 498 | |
| 499 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 500 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 501 "session cache \"%V\" is too small", | |
| 502 &value[i]); | |
| 503 | |
| 504 return NGX_CONF_ERROR; | |
| 505 } | |
| 506 | |
| 507 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1136 | 508 &ngx_mail_ssl_module); |
| 976 | 509 if (scf->shm_zone == NULL) { |
| 510 return NGX_CONF_ERROR; | |
| 511 } | |
| 512 | |
|
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
513 scf->shm_zone->init = ngx_ssl_session_cache_init; |
|
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
514 |
| 976 | 515 continue; |
| 516 } | |
| 517 | |
| 518 goto invalid; | |
| 519 } | |
| 520 | |
| 521 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 522 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 523 } | |
| 524 | |
| 525 return NGX_CONF_OK; | |
| 526 | |
| 527 invalid: | |
| 528 | |
| 529 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 530 "invalid session cache \"%V\"", &value[i]); | |
| 531 | |
| 532 return NGX_CONF_ERROR; | |
| 533 } |