Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.c @ 6817:e75e854657ba
SSL: $ssl_curves (ticket #1088).
The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".
Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session. As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).
The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 05 Dec 2016 22:23:23 +0300 |
| parents | ea93c7d8752a |
| children | 41cb1b64561d |
| rev | line source |
|---|---|
| 6115 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4 * Copyright (C) Nginx, Inc. | |
| 5 */ | |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 10 #include <ngx_stream.h> | |
| 11 | |
| 12 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
| 6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
| 6115 | 19 |
| 20 | |
| 6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
| 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
| 23 ngx_connection_t *c); | |
| 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
25 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
26 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
27 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
28 ngx_stream_variable_value_t *v, uintptr_t data); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
29 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
30 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
| 6115 | 31 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
| 32 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
| 33 void *child); | |
| 34 | |
| 35 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 36 void *conf); | |
| 37 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 38 void *conf); | |
| 6693 | 39 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
| 6115 | 40 |
| 41 | |
| 42 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
| 43 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
| 44 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
| 45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
| 46 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
| 47 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
| 48 { ngx_null_string, 0 } | |
| 49 }; | |
| 50 | |
| 51 | |
| 52 static ngx_command_t ngx_stream_ssl_commands[] = { | |
| 53 | |
| 54 { ngx_string("ssl_handshake_timeout"), | |
| 55 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 56 ngx_conf_set_msec_slot, | |
| 57 NGX_STREAM_SRV_CONF_OFFSET, | |
| 58 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
| 59 NULL }, | |
| 60 | |
| 61 { ngx_string("ssl_certificate"), | |
| 62 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
63 ngx_conf_set_str_array_slot, |
| 6115 | 64 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
65 offsetof(ngx_stream_ssl_conf_t, certificates), |
| 6115 | 66 NULL }, |
| 67 | |
| 68 { ngx_string("ssl_certificate_key"), | |
| 69 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
70 ngx_conf_set_str_array_slot, |
| 6115 | 71 NGX_STREAM_SRV_CONF_OFFSET, |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
72 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
| 6115 | 73 NULL }, |
| 74 | |
| 75 { ngx_string("ssl_password_file"), | |
| 76 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 77 ngx_stream_ssl_password_file, | |
| 78 NGX_STREAM_SRV_CONF_OFFSET, | |
| 79 0, | |
| 80 NULL }, | |
| 81 | |
| 82 { ngx_string("ssl_dhparam"), | |
| 83 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 84 ngx_conf_set_str_slot, | |
| 85 NGX_STREAM_SRV_CONF_OFFSET, | |
| 86 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
| 87 NULL }, | |
| 88 | |
| 89 { ngx_string("ssl_ecdh_curve"), | |
| 90 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 91 ngx_conf_set_str_slot, | |
| 92 NGX_STREAM_SRV_CONF_OFFSET, | |
| 93 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
| 94 NULL }, | |
| 95 | |
| 96 { ngx_string("ssl_protocols"), | |
| 97 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
| 98 ngx_conf_set_bitmask_slot, | |
| 99 NGX_STREAM_SRV_CONF_OFFSET, | |
| 100 offsetof(ngx_stream_ssl_conf_t, protocols), | |
| 101 &ngx_stream_ssl_protocols }, | |
| 102 | |
| 103 { ngx_string("ssl_ciphers"), | |
| 104 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 105 ngx_conf_set_str_slot, | |
| 106 NGX_STREAM_SRV_CONF_OFFSET, | |
| 107 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
| 108 NULL }, | |
| 109 | |
| 110 { ngx_string("ssl_prefer_server_ciphers"), | |
| 111 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 112 ngx_conf_set_flag_slot, | |
| 113 NGX_STREAM_SRV_CONF_OFFSET, | |
| 114 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
| 115 NULL }, | |
| 116 | |
| 117 { ngx_string("ssl_session_cache"), | |
| 118 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
| 119 ngx_stream_ssl_session_cache, | |
| 120 NGX_STREAM_SRV_CONF_OFFSET, | |
| 121 0, | |
| 122 NULL }, | |
| 123 | |
| 124 { ngx_string("ssl_session_tickets"), | |
| 125 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
| 126 ngx_conf_set_flag_slot, | |
| 127 NGX_STREAM_SRV_CONF_OFFSET, | |
| 128 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
| 129 NULL }, | |
| 130 | |
| 131 { ngx_string("ssl_session_ticket_key"), | |
| 132 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 133 ngx_conf_set_str_array_slot, | |
| 134 NGX_STREAM_SRV_CONF_OFFSET, | |
| 135 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
| 136 NULL }, | |
| 137 | |
| 138 { ngx_string("ssl_session_timeout"), | |
| 139 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
| 140 ngx_conf_set_sec_slot, | |
| 141 NGX_STREAM_SRV_CONF_OFFSET, | |
| 142 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
| 143 NULL }, | |
| 144 | |
| 145 ngx_null_command | |
| 146 }; | |
| 147 | |
| 148 | |
| 149 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
150 ngx_stream_ssl_add_variables, /* preconfiguration */ |
| 6693 | 151 ngx_stream_ssl_init, /* postconfiguration */ |
|
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
152 |
| 6115 | 153 NULL, /* create main configuration */ |
| 154 NULL, /* init main configuration */ | |
| 155 | |
| 156 ngx_stream_ssl_create_conf, /* create server configuration */ | |
| 157 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
| 158 }; | |
| 159 | |
| 160 | |
| 161 ngx_module_t ngx_stream_ssl_module = { | |
| 162 NGX_MODULE_V1, | |
| 163 &ngx_stream_ssl_module_ctx, /* module context */ | |
| 164 ngx_stream_ssl_commands, /* module directives */ | |
| 165 NGX_STREAM_MODULE, /* module type */ | |
| 166 NULL, /* init master */ | |
| 167 NULL, /* init module */ | |
| 168 NULL, /* init process */ | |
| 169 NULL, /* init thread */ | |
| 170 NULL, /* exit thread */ | |
| 171 NULL, /* exit process */ | |
| 172 NULL, /* exit master */ | |
| 173 NGX_MODULE_V1_PADDING | |
| 174 }; | |
| 175 | |
| 176 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
177 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
178 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
179 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
180 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
181 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
182 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
183 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
184 |
|
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
185 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
186 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
187 |
|
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
188 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
189 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
190 |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
191 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
192 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
193 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
194 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
195 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
196 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
197 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
198 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
199 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
200 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
201 }; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
202 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
203 |
| 6115 | 204 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
| 205 | |
| 206 | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
207 static ngx_int_t |
| 6693 | 208 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
| 209 { | |
| 210 ngx_connection_t *c; | |
| 211 ngx_stream_ssl_conf_t *sslcf; | |
| 212 | |
| 213 c = s->connection; | |
| 214 | |
| 215 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 216 | |
| 217 if (s->ssl && c->ssl == NULL) { | |
| 218 c->log->action = "SSL handshaking"; | |
| 219 | |
| 220 if (sslcf->ssl.ctx == NULL) { | |
| 221 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
| 222 "no \"ssl_certificate\" is defined " | |
| 223 "in server listening on SSL port"); | |
| 224 return NGX_ERROR; | |
| 225 } | |
| 226 | |
| 227 return ngx_stream_ssl_init_connection(&sslcf->ssl, c); | |
| 228 } | |
| 229 | |
| 230 return NGX_OK; | |
| 231 } | |
| 232 | |
| 233 | |
| 234 static ngx_int_t | |
| 235 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
| 236 { | |
| 237 ngx_int_t rc; | |
| 238 ngx_stream_session_t *s; | |
| 239 ngx_stream_ssl_conf_t *sslcf; | |
| 240 | |
| 241 s = c->data; | |
| 242 | |
| 243 if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) { | |
| 244 return NGX_ERROR; | |
| 245 } | |
| 246 | |
| 247 rc = ngx_ssl_handshake(c); | |
| 248 | |
| 249 if (rc == NGX_ERROR) { | |
| 250 return NGX_ERROR; | |
| 251 } | |
| 252 | |
| 253 if (rc == NGX_AGAIN) { | |
| 254 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
| 255 | |
| 256 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
| 257 | |
| 258 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
| 259 | |
| 260 return NGX_AGAIN; | |
| 261 } | |
| 262 | |
| 263 /* rc == NGX_OK */ | |
| 264 | |
| 265 return NGX_OK; | |
| 266 } | |
| 267 | |
| 268 | |
| 269 static void | |
| 270 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
| 271 { | |
| 272 ngx_stream_session_t *s; | |
| 273 | |
| 274 s = c->data; | |
| 275 | |
| 276 if (!c->ssl->handshaked) { | |
| 277 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
| 278 return; | |
| 279 } | |
| 280 | |
| 281 if (c->read->timer_set) { | |
| 282 ngx_del_timer(c->read); | |
| 283 } | |
| 284 | |
| 285 ngx_stream_core_run_phases(s); | |
| 286 } | |
| 287 | |
| 288 | |
| 289 static ngx_int_t | |
|
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
290 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
291 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
292 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
293 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
294 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
295 size_t len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
296 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
297 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
298 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
299 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
300 (void) handler(s->connection, NULL, &str); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
301 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
302 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
303 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
304 for (len = 0; v->data[len]; len++) { /* void */ } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
305 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
306 v->len = len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
307 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
308 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
309 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
310 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
311 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
312 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
313 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
314 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
315 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
316 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
317 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
318 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
319 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
320 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
321 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
322 ngx_stream_variable_value_t *v, uintptr_t data) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
323 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
324 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
325 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
326 ngx_str_t str; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
327 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
328 if (s->connection->ssl) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
329 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
330 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
331 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
332 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
333 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
334 v->len = str.len; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
335 v->data = str.data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
336 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
337 if (v->len) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
338 v->valid = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
339 v->no_cacheable = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
340 v->not_found = 0; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
341 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
342 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
343 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
344 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
345 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
346 v->not_found = 1; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
347 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
348 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
349 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
350 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
351 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
352 static ngx_int_t |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
353 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
354 { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
355 ngx_stream_variable_t *var, *v; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
356 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
357 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
358 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
359 if (var == NULL) { |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
360 return NGX_ERROR; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
361 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
362 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
363 var->get_handler = v->get_handler; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
364 var->data = v->data; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
365 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
366 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
367 return NGX_OK; |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
368 } |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
369 |
|
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
370 |
| 6115 | 371 static void * |
| 372 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
| 373 { | |
| 374 ngx_stream_ssl_conf_t *scf; | |
| 375 | |
| 376 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
| 377 if (scf == NULL) { | |
| 378 return NULL; | |
| 379 } | |
| 380 | |
| 381 /* | |
| 382 * set by ngx_pcalloc(): | |
| 383 * | |
| 384 * scf->protocols = 0; | |
| 385 * scf->dhparam = { 0, NULL }; | |
| 386 * scf->ecdh_curve = { 0, NULL }; | |
| 387 * scf->ciphers = { 0, NULL }; | |
| 388 * scf->shm_zone = NULL; | |
| 389 */ | |
| 390 | |
| 391 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
392 scf->certificates = NGX_CONF_UNSET_PTR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
393 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
| 6115 | 394 scf->passwords = NGX_CONF_UNSET_PTR; |
| 395 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
| 396 scf->builtin_session_cache = NGX_CONF_UNSET; | |
| 397 scf->session_timeout = NGX_CONF_UNSET; | |
| 398 scf->session_tickets = NGX_CONF_UNSET; | |
| 399 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
| 400 | |
| 401 return scf; | |
| 402 } | |
| 403 | |
| 404 | |
| 405 static char * | |
| 406 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
| 407 { | |
| 408 ngx_stream_ssl_conf_t *prev = parent; | |
| 409 ngx_stream_ssl_conf_t *conf = child; | |
| 410 | |
| 411 ngx_pool_cleanup_t *cln; | |
| 412 | |
| 413 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
| 414 prev->handshake_timeout, 60000); | |
| 415 | |
| 416 ngx_conf_merge_value(conf->session_timeout, | |
| 417 prev->session_timeout, 300); | |
| 418 | |
| 419 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
| 420 prev->prefer_server_ciphers, 0); | |
| 421 | |
| 422 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
|
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
423 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
| 6115 | 424 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 425 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
426 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
427 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
428 NULL); |
| 6115 | 429 |
| 430 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
| 431 | |
| 432 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
| 433 | |
| 434 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | |
| 435 NGX_DEFAULT_ECDH_CURVE); | |
| 436 | |
| 437 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
| 438 | |
| 439 | |
| 440 conf->ssl.log = cf->log; | |
| 441 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
442 if (conf->certificates == NULL) { |
| 6115 | 443 return NGX_CONF_OK; |
| 444 } | |
| 445 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
446 if (conf->certificate_keys == NULL |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
447 || conf->certificate_keys->nelts < conf->certificates->nelts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
448 { |
| 6115 | 449 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 450 "no \"ssl_certificate_key\" is defined " | |
| 451 "for certificate \"%V\"", | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
452 ((ngx_str_t *) conf->certificates->elts) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
453 + conf->certificates->nelts - 1); |
| 6115 | 454 return NGX_CONF_ERROR; |
| 455 } | |
| 456 | |
| 457 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
| 458 return NGX_CONF_ERROR; | |
| 459 } | |
| 460 | |
| 461 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
| 462 if (cln == NULL) { | |
| 463 return NGX_CONF_ERROR; | |
| 464 } | |
| 465 | |
| 466 cln->handler = ngx_ssl_cleanup_ctx; | |
| 467 cln->data = &conf->ssl; | |
| 468 | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
469 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
470 conf->certificate_keys, conf->passwords) |
| 6115 | 471 != NGX_OK) |
| 472 { | |
| 473 return NGX_CONF_ERROR; | |
| 474 } | |
| 475 | |
|
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
476 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
477 conf->prefer_server_ciphers) |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
478 != NGX_OK) |
| 6115 | 479 { |
| 480 return NGX_CONF_ERROR; | |
| 481 } | |
| 482 | |
| 483 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | |
| 484 return NGX_CONF_ERROR; | |
| 485 } | |
| 486 | |
| 487 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
| 488 return NGX_CONF_ERROR; | |
| 489 } | |
| 490 | |
| 491 ngx_conf_merge_value(conf->builtin_session_cache, | |
| 492 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
| 493 | |
| 494 if (conf->shm_zone == NULL) { | |
| 495 conf->shm_zone = prev->shm_zone; | |
| 496 } | |
| 497 | |
| 498 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
| 499 conf->builtin_session_cache, | |
| 500 conf->shm_zone, conf->session_timeout) | |
| 501 != NGX_OK) | |
| 502 { | |
| 503 return NGX_CONF_ERROR; | |
| 504 } | |
| 505 | |
| 506 ngx_conf_merge_value(conf->session_tickets, | |
| 507 prev->session_tickets, 1); | |
| 508 | |
| 509 #ifdef SSL_OP_NO_TICKET | |
| 510 if (!conf->session_tickets) { | |
| 511 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
| 512 } | |
| 513 #endif | |
| 514 | |
| 515 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
| 516 prev->session_ticket_keys, NULL); | |
| 517 | |
| 518 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
| 519 != NGX_OK) | |
| 520 { | |
| 521 return NGX_CONF_ERROR; | |
| 522 } | |
| 523 | |
| 524 return NGX_CONF_OK; | |
| 525 } | |
| 526 | |
| 527 | |
| 528 static char * | |
| 529 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 530 { | |
| 531 ngx_stream_ssl_conf_t *scf = conf; | |
| 532 | |
| 533 ngx_str_t *value; | |
| 534 | |
| 535 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
| 536 return "is duplicate"; | |
| 537 } | |
| 538 | |
| 539 value = cf->args->elts; | |
| 540 | |
| 541 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
| 542 | |
| 543 if (scf->passwords == NULL) { | |
| 544 return NGX_CONF_ERROR; | |
| 545 } | |
| 546 | |
| 547 return NGX_CONF_OK; | |
| 548 } | |
| 549 | |
| 550 | |
| 551 static char * | |
| 552 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 553 { | |
| 554 ngx_stream_ssl_conf_t *scf = conf; | |
| 555 | |
| 556 size_t len; | |
| 557 ngx_str_t *value, name, size; | |
| 558 ngx_int_t n; | |
| 559 ngx_uint_t i, j; | |
| 560 | |
| 561 value = cf->args->elts; | |
| 562 | |
| 563 for (i = 1; i < cf->args->nelts; i++) { | |
| 564 | |
| 565 if (ngx_strcmp(value[i].data, "off") == 0) { | |
| 566 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
| 567 continue; | |
| 568 } | |
| 569 | |
| 570 if (ngx_strcmp(value[i].data, "none") == 0) { | |
| 571 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
| 572 continue; | |
| 573 } | |
| 574 | |
| 575 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
| 576 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
| 577 continue; | |
| 578 } | |
| 579 | |
| 580 if (value[i].len > sizeof("builtin:") - 1 | |
| 581 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
| 582 == 0) | |
| 583 { | |
| 584 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
| 585 value[i].len - (sizeof("builtin:") - 1)); | |
| 586 | |
| 587 if (n == NGX_ERROR) { | |
| 588 goto invalid; | |
| 589 } | |
| 590 | |
| 591 scf->builtin_session_cache = n; | |
| 592 | |
| 593 continue; | |
| 594 } | |
| 595 | |
| 596 if (value[i].len > sizeof("shared:") - 1 | |
| 597 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
| 598 == 0) | |
| 599 { | |
| 600 len = 0; | |
| 601 | |
| 602 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
| 603 if (value[i].data[j] == ':') { | |
| 604 break; | |
| 605 } | |
| 606 | |
| 607 len++; | |
| 608 } | |
| 609 | |
| 610 if (len == 0) { | |
| 611 goto invalid; | |
| 612 } | |
| 613 | |
| 614 name.len = len; | |
| 615 name.data = value[i].data + sizeof("shared:") - 1; | |
| 616 | |
| 617 size.len = value[i].len - j - 1; | |
| 618 size.data = name.data + len + 1; | |
| 619 | |
| 620 n = ngx_parse_size(&size); | |
| 621 | |
| 622 if (n == NGX_ERROR) { | |
| 623 goto invalid; | |
| 624 } | |
| 625 | |
| 626 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 627 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 628 "session cache \"%V\" is too small", | |
| 629 &value[i]); | |
| 630 | |
| 631 return NGX_CONF_ERROR; | |
| 632 } | |
| 633 | |
| 634 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
| 635 &ngx_stream_ssl_module); | |
| 636 if (scf->shm_zone == NULL) { | |
| 637 return NGX_CONF_ERROR; | |
| 638 } | |
| 639 | |
| 640 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
| 641 | |
| 642 continue; | |
| 643 } | |
| 644 | |
| 645 goto invalid; | |
| 646 } | |
| 647 | |
| 648 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
| 649 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
| 650 } | |
| 651 | |
| 652 return NGX_CONF_OK; | |
| 653 | |
| 654 invalid: | |
| 655 | |
| 656 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 657 "invalid session cache \"%V\"", &value[i]); | |
| 658 | |
| 659 return NGX_CONF_ERROR; | |
| 660 } | |
| 6693 | 661 |
| 662 | |
| 663 static ngx_int_t | |
| 664 ngx_stream_ssl_init(ngx_conf_t *cf) | |
| 665 { | |
| 666 ngx_stream_handler_pt *h; | |
| 667 ngx_stream_core_main_conf_t *cmcf; | |
| 668 | |
| 669 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
| 670 | |
| 671 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
| 672 if (h == NULL) { | |
| 673 return NGX_ERROR; | |
| 674 } | |
| 675 | |
| 676 *h = ngx_stream_ssl_handler; | |
| 677 | |
| 678 return NGX_OK; | |
| 679 } |