Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 4873:dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.
Such file might be produced with openssl like this:
openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
-url http://ocsp.example.com
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:41:08 +0000 |
parents | 7c3cca603438 |
children | 386a06a22c40 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
573 | 12 |
671 | 13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
14 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 15 |
16 | |
3960 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
671 | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 22 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 24 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 25 |
26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 29 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
30 |
2224 | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | |
973 | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | |
35 | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 |
547 | 37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
40 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
41 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
42 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 43 { ngx_null_string, 0 } |
44 }; | |
45 | |
46 | |
2123 | 47 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
48 { ngx_string("off"), 0 }, | |
49 { ngx_string("on"), 1 }, | |
2994 | 50 { ngx_string("optional"), 2 }, |
2123 | 51 { ngx_null_string, 0 } |
52 }; | |
53 | |
54 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
55 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
56 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
57 { ngx_string("ssl"), |
599 | 58 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 59 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 { ngx_string("ssl_certificate"), |
599 | 65 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 { ngx_string("ssl_certificate_key"), |
599 | 72 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
74 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
75 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
76 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
77 |
2044 | 78 { ngx_string("ssl_dhparam"), |
79 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
80 ngx_conf_set_str_slot, | |
81 NGX_HTTP_SRV_CONF_OFFSET, | |
82 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
83 NULL }, | |
84 | |
3960 | 85 { ngx_string("ssl_ecdh_curve"), |
86 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
87 ngx_conf_set_str_slot, | |
88 NGX_HTTP_SRV_CONF_OFFSET, | |
89 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
90 NULL }, | |
91 | |
547 | 92 { ngx_string("ssl_protocols"), |
563 | 93 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 94 ngx_conf_set_bitmask_slot, |
95 NGX_HTTP_SRV_CONF_OFFSET, | |
96 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
97 &ngx_http_ssl_protocols }, | |
98 | |
479 | 99 { ngx_string("ssl_ciphers"), |
563 | 100 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 101 ngx_conf_set_str_slot, |
102 NGX_HTTP_SRV_CONF_OFFSET, | |
103 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
104 NULL }, | |
105 | |
647 | 106 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
107 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 108 ngx_conf_set_enum_slot, |
647 | 109 NGX_HTTP_SRV_CONF_OFFSET, |
110 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 111 &ngx_http_ssl_verify }, |
647 | 112 |
113 { ngx_string("ssl_verify_depth"), | |
114 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
115 ngx_conf_set_num_slot, | |
116 NGX_HTTP_SRV_CONF_OFFSET, | |
117 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
118 NULL }, | |
119 | |
120 { ngx_string("ssl_client_certificate"), | |
121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
122 ngx_conf_set_str_slot, | |
123 NGX_HTTP_SRV_CONF_OFFSET, | |
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
125 NULL }, | |
126 | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
127 { ngx_string("ssl_trusted_certificate"), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
129 ngx_conf_set_str_slot, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
130 NGX_HTTP_SRV_CONF_OFFSET, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
131 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
132 NULL }, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
133 |
547 | 134 { ngx_string("ssl_prefer_server_ciphers"), |
135 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
136 ngx_conf_set_flag_slot, | |
137 NGX_HTTP_SRV_CONF_OFFSET, | |
138 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
139 NULL }, | |
140 | |
973 | 141 { ngx_string("ssl_session_cache"), |
142 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
143 ngx_http_ssl_session_cache, | |
144 NGX_HTTP_SRV_CONF_OFFSET, | |
145 0, | |
146 NULL }, | |
147 | |
573 | 148 { ngx_string("ssl_session_timeout"), |
149 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
150 ngx_conf_set_sec_slot, | |
151 NGX_HTTP_SRV_CONF_OFFSET, | |
152 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
153 NULL }, | |
154 | |
2995 | 155 { ngx_string("ssl_crl"), |
156 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
157 ngx_conf_set_str_slot, | |
158 NGX_HTTP_SRV_CONF_OFFSET, | |
159 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
160 NULL }, | |
161 | |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
162 { ngx_string("ssl_stapling"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
163 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
164 ngx_conf_set_flag_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
165 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
166 offsetof(ngx_http_ssl_srv_conf_t, stapling), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
167 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
168 |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
169 { ngx_string("ssl_stapling_file"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
170 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
171 ngx_conf_set_str_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
172 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
173 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
174 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
175 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
176 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
177 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
178 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
179 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
180 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 181 ngx_http_ssl_add_variables, /* preconfiguration */ |
509 | 182 NULL, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
183 |
541 | 184 NULL, /* create main configuration */ |
185 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
186 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
187 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
188 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
189 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
190 NULL, /* create location configuration */ |
485 | 191 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
192 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
193 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
194 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
195 ngx_module_t ngx_http_ssl_module = { |
509 | 196 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
197 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
198 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
199 NGX_HTTP_MODULE, /* module type */ |
541 | 200 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
201 NULL, /* init module */ |
541 | 202 NULL, /* init process */ |
203 NULL, /* init thread */ | |
204 NULL, /* exit thread */ | |
205 NULL, /* exit process */ | |
206 NULL, /* exit master */ | |
207 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
208 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
209 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
210 |
611 | 211 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
212 | |
671 | 213 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 214 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 215 |
671 | 216 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 217 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 218 |
3154 | 219 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
220 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
221 | |
2045 | 222 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
223 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
224 | |
2123 | 225 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
226 (uintptr_t) ngx_ssl_get_raw_certificate, | |
227 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
228 | |
671 | 229 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 230 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 231 |
671 | 232 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 233 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 234 |
235 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
1565 | 236 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 237 |
2994 | 238 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
239 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
240 | |
637 | 241 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 242 }; |
243 | |
244 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
245 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 246 |
247 | |
248 static ngx_int_t | |
671 | 249 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 250 ngx_http_variable_value_t *v, uintptr_t data) |
251 { | |
671 | 252 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 253 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
254 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
255 ngx_str_t s; |
611 | 256 |
257 if (r->connection->ssl) { | |
258 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
259 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
260 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
261 v->data = s.data; |
611 | 262 |
671 | 263 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 264 |
265 v->len = len; | |
266 v->valid = 1; | |
1565 | 267 v->no_cacheable = 0; |
611 | 268 v->not_found = 0; |
269 | |
270 return NGX_OK; | |
271 } | |
272 | |
273 v->not_found = 1; | |
274 | |
275 return NGX_OK; | |
276 } | |
277 | |
278 | |
279 static ngx_int_t | |
671 | 280 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 281 uintptr_t data) |
282 { | |
671 | 283 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 284 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
285 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
286 |
647 | 287 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
288 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
289 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 290 return NGX_ERROR; |
291 } | |
292 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
293 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
294 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
295 |
647 | 296 if (v->len) { |
297 v->valid = 1; | |
1565 | 298 v->no_cacheable = 0; |
647 | 299 v->not_found = 0; |
300 | |
301 return NGX_OK; | |
302 } | |
303 } | |
304 | |
305 v->not_found = 1; | |
306 | |
307 return NGX_OK; | |
308 } | |
309 | |
310 | |
311 static ngx_int_t | |
611 | 312 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
313 { | |
314 ngx_http_variable_t *var, *v; | |
315 | |
316 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
317 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
318 if (var == NULL) { | |
319 return NGX_ERROR; | |
320 } | |
321 | |
637 | 322 var->get_handler = v->get_handler; |
611 | 323 var->data = v->data; |
324 } | |
325 | |
326 return NGX_OK; | |
327 } | |
328 | |
329 | |
501 | 330 static void * |
331 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
332 { |
971 | 333 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
334 |
971 | 335 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
336 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
337 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
338 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
339 |
479 | 340 /* |
341 * set by ngx_pcalloc(): | |
342 * | |
971 | 343 * sscf->protocols = 0; |
2044 | 344 * sscf->certificate = { 0, NULL }; |
345 * sscf->certificate_key = { 0, NULL }; | |
346 * sscf->dhparam = { 0, NULL }; | |
3960 | 347 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 348 * sscf->client_certificate = { 0, NULL }; |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
349 * sscf->trusted_certificate = { 0, NULL }; |
2995 | 350 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
351 * sscf->ciphers = { 0, NULL }; |
973 | 352 * sscf->shm_zone = NULL; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
353 * sscf->stapling_file = { 0, NULL }; |
479 | 354 */ |
355 | |
971 | 356 sscf->enable = NGX_CONF_UNSET; |
2123 | 357 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
2710 | 358 sscf->verify = NGX_CONF_UNSET_UINT; |
359 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
973 | 360 sscf->builtin_session_cache = NGX_CONF_UNSET; |
361 sscf->session_timeout = NGX_CONF_UNSET; | |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
362 sscf->stapling = NGX_CONF_UNSET; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
363 |
971 | 364 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
365 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
366 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
367 |
501 | 368 static char * |
369 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
370 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
371 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
372 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
373 |
563 | 374 ngx_pool_cleanup_t *cln; |
375 | |
4234
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
376 if (conf->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
377 if (prev->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
378 conf->enable = 0; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
379 |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
380 } else { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
381 conf->enable = prev->enable; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
382 conf->file = prev->file; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
383 conf->line = prev->line; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
384 } |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
385 } |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
386 |
573 | 387 ngx_conf_merge_value(conf->session_timeout, |
388 prev->session_timeout, 300); | |
389 | |
547 | 390 ngx_conf_merge_value(conf->prefer_server_ciphers, |
391 prev->prefer_server_ciphers, 0); | |
392 | |
393 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
394 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
395 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 396 |
2123 | 397 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
398 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 399 |
2224 | 400 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
401 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
402 |
2044 | 403 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
404 | |
647 | 405 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
406 ""); | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
407 ngx_conf_merge_str_value(conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
408 prev->trusted_certificate, ""); |
2995 | 409 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 410 |
3960 | 411 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
412 NGX_DEFAULT_ECDH_CURVE); | |
413 | |
2124 | 414 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 415 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
416 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
417 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
479 | 418 |
547 | 419 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
420 |
2224 | 421 if (conf->enable) { |
422 | |
423 if (conf->certificate.len == 0) { | |
424 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
425 "no \"ssl_certificate\" is defined for " | |
426 "the \"ssl\" directive in %s:%ui", | |
427 conf->file, conf->line); | |
428 return NGX_CONF_ERROR; | |
429 } | |
430 | |
431 if (conf->certificate_key.len == 0) { | |
432 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
433 "no \"ssl_certificate_key\" is defined for " | |
434 "the \"ssl\" directive in %s:%ui", | |
435 conf->file, conf->line); | |
436 return NGX_CONF_ERROR; | |
437 } | |
438 | |
439 } else { | |
440 | |
441 if (conf->certificate.len == 0) { | |
442 return NGX_CONF_OK; | |
443 } | |
444 | |
445 if (conf->certificate_key.len == 0) { | |
446 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
447 "no \"ssl_certificate_key\" is defined " | |
448 "for certificate \"%V\"", &conf->certificate); | |
449 return NGX_CONF_ERROR; | |
450 } | |
451 } | |
452 | |
969 | 453 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
454 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
455 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
456 |
1219 | 457 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
458 | |
459 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
460 ngx_http_ssl_servername) | |
461 == 0) | |
462 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
463 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 464 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
465 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
466 "therefore SNI is not available"); |
1219 | 467 } |
468 | |
469 #endif | |
470 | |
563 | 471 cln = ngx_pool_cleanup_add(cf->pool, 0); |
472 if (cln == NULL) { | |
509 | 473 return NGX_CONF_ERROR; |
474 } | |
475 | |
563 | 476 cln->handler = ngx_ssl_cleanup_ctx; |
477 cln->data = &conf->ssl; | |
478 | |
479 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
970 | 480 &conf->certificate_key) |
481 != NGX_OK) | |
529 | 482 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
483 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
484 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
485 |
547 | 486 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 487 (const char *) conf->ciphers.data) |
488 == 0) | |
529 | 489 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
490 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 491 "SSL_CTX_set_cipher_list(\"%V\") failed", |
492 &conf->ciphers); | |
493 } | |
494 | |
647 | 495 if (conf->verify) { |
2123 | 496 |
497 if (conf->client_certificate.len == 0) { | |
498 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
499 "no ssl_client_certificate for ssl_client_verify"); | |
500 return NGX_CONF_ERROR; | |
501 } | |
502 | |
671 | 503 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 504 &conf->client_certificate, |
505 conf->verify_depth) | |
671 | 506 != NGX_OK) |
507 { | |
508 return NGX_CONF_ERROR; | |
647 | 509 } |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
510 } |
2995 | 511 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
512 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
513 &conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
514 conf->verify_depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
515 != NGX_OK) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
516 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
517 return NGX_CONF_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
518 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
519 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
520 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
521 return NGX_CONF_ERROR; |
647 | 522 } |
523 | |
547 | 524 if (conf->prefer_server_ciphers) { |
525 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
526 } | |
527 | |
528 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
529 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
530 |
2044 | 531 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
532 return NGX_CONF_ERROR; | |
533 } | |
534 | |
3960 | 535 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
536 return NGX_CONF_ERROR; | |
537 } | |
538 | |
973 | 539 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 540 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 541 |
542 if (conf->shm_zone == NULL) { | |
543 conf->shm_zone = prev->shm_zone; | |
544 } | |
545 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
546 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
547 conf->builtin_session_cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
548 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
549 != NGX_OK) |
973 | 550 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
551 return NGX_CONF_ERROR; |
973 | 552 } |
573 | 553 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
554 if (conf->stapling |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
555 && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK) |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
556 { |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
557 return NGX_CONF_ERROR; |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
558 } |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
559 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
560 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
561 } |
563 | 562 |
563 | |
973 | 564 static char * |
2224 | 565 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
566 { | |
567 ngx_http_ssl_srv_conf_t *sscf = conf; | |
568 | |
569 char *rv; | |
570 | |
571 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
572 | |
573 if (rv != NGX_CONF_OK) { | |
574 return rv; | |
575 } | |
576 | |
577 sscf->file = cf->conf_file->file.name.data; | |
578 sscf->line = cf->conf_file->line; | |
579 | |
580 return NGX_CONF_OK; | |
581 } | |
582 | |
583 | |
584 static char * | |
973 | 585 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
586 { | |
587 ngx_http_ssl_srv_conf_t *sscf = conf; | |
588 | |
589 size_t len; | |
590 ngx_str_t *value, name, size; | |
591 ngx_int_t n; | |
592 ngx_uint_t i, j; | |
593 | |
594 value = cf->args->elts; | |
595 | |
596 for (i = 1; i < cf->args->nelts; i++) { | |
597 | |
1778 | 598 if (ngx_strcmp(value[i].data, "off") == 0) { |
599 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
600 continue; | |
601 } | |
602 | |
2032 | 603 if (ngx_strcmp(value[i].data, "none") == 0) { |
604 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
605 continue; | |
606 } | |
607 | |
973 | 608 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
609 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 610 continue; |
611 } | |
612 | |
613 if (value[i].len > sizeof("builtin:") - 1 | |
614 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
615 == 0) | |
616 { | |
617 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
618 value[i].len - (sizeof("builtin:") - 1)); | |
619 | |
620 if (n == NGX_ERROR) { | |
621 goto invalid; | |
622 } | |
623 | |
624 sscf->builtin_session_cache = n; | |
625 | |
626 continue; | |
627 } | |
628 | |
629 if (value[i].len > sizeof("shared:") - 1 | |
630 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
631 == 0) | |
632 { | |
633 len = 0; | |
634 | |
635 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
636 if (value[i].data[j] == ':') { | |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
637 value[i].data[j] = '\0'; |
973 | 638 break; |
639 } | |
640 | |
641 len++; | |
642 } | |
643 | |
644 if (len == 0) { | |
645 goto invalid; | |
646 } | |
647 | |
648 name.len = len; | |
649 name.data = value[i].data + sizeof("shared:") - 1; | |
650 | |
651 size.len = value[i].len - j - 1; | |
652 size.data = name.data + len + 1; | |
653 | |
654 n = ngx_parse_size(&size); | |
655 | |
656 if (n == NGX_ERROR) { | |
657 goto invalid; | |
658 } | |
659 | |
660 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
661 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
662 "session cache \"%V\" is too small", |
973 | 663 &value[i]); |
664 | |
665 return NGX_CONF_ERROR; | |
666 } | |
667 | |
668 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
669 &ngx_http_ssl_module); | |
670 if (sscf->shm_zone == NULL) { | |
671 return NGX_CONF_ERROR; | |
672 } | |
673 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
674 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
675 |
973 | 676 continue; |
677 } | |
678 | |
679 goto invalid; | |
680 } | |
681 | |
682 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
683 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 684 } |
685 | |
686 return NGX_CONF_OK; | |
687 | |
688 invalid: | |
689 | |
690 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
691 "invalid session cache \"%V\"", &value[i]); | |
692 | |
693 return NGX_CONF_ERROR; | |
694 } |