Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 9274:46ecad404a29 default tip
Mail: reset imap tag to empty after authentication attempt.
We need to reset the imap tag to empty after an authentication attempt
completes, otherwise if the next line parsed is incomplete with no tag
(e.g. empty line) then we use the "tag" from the previous buffer which
is now definitely wrong and has been partially overwritten with the most
recently read data (e.g. CRLF).
An example before this patch:
S: * OK IMAP4 ready
C: foobar login a b
S: foobar NO Incorrect username or password.
C:
S:
S: obar BAD invalid command
Then with this patch:
S: * OK IMAP4 ready
C: foobar login a b
S: foobar NO Incorrect username or password.
C:
S: * BAD invalid command
author | Rob Mueller <robm@fastmailteam.com> |
---|---|
date | Wed, 15 May 2024 10:06:00 +0300 |
parents | 0aaa09927703 |
children |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
12 #if (NGX_QUIC_OPENSSL_COMPAT) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
13 #include <ngx_event_quic_openssl_compat.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
14 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
15 |
573 | 16 |
671 | 17 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
18 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 19 |
20 | |
3960 | 21 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
22 #define NGX_DEFAULT_ECDH_CURVE "auto" |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
23 |
7937
db6b630e6086
HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
24 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9" |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
25 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
26 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
27 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
28 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
29 const unsigned char **out, unsigned char *outlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
30 const unsigned char *in, unsigned int inlen, void *arg); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
31 #endif |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
32 |
671 | 33 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 34 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 35 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 36 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 37 |
38 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
39 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
40 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 41 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
42 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
43 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
44 ngx_http_ssl_srv_conf_t *conf); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
45 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
46 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
47 void *conf); |
973 | 48 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
49 void *conf); | |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
50 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
51 void *conf); |
973 | 52 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
53 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
54 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
55 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
57 #if (NGX_QUIC_OPENSSL_COMPAT) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
58 static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
59 ngx_http_conf_addr_t *addr); |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
60 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
61 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 |
547 | 63 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
64 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
65 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
66 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
67 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
68 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6817
diff
changeset
|
69 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 70 { ngx_null_string, 0 } |
71 }; | |
72 | |
73 | |
2123 | 74 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
75 { ngx_string("off"), 0 }, | |
76 { ngx_string("on"), 1 }, | |
2994 | 77 { ngx_string("optional"), 2 }, |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
78 { ngx_string("optional_no_ca"), 3 }, |
2123 | 79 { ngx_null_string, 0 } |
80 }; | |
81 | |
82 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
83 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
84 { ngx_string("off"), 0 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
85 { ngx_string("on"), 1 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
86 { ngx_string("leaf"), 2 }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
87 { ngx_null_string, 0 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
88 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
89 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
90 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
91 static ngx_conf_post_t ngx_http_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
92 { ngx_http_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
93 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
94 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
95 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
96 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
97 { ngx_string("ssl_certificate"), |
599 | 98 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
99 ngx_conf_set_str_array_slot, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
100 NGX_HTTP_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
101 offsetof(ngx_http_ssl_srv_conf_t, certificates), |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
102 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
103 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
104 { ngx_string("ssl_certificate_key"), |
599 | 105 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
106 ngx_conf_set_str_array_slot, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
107 NGX_HTTP_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
108 offsetof(ngx_http_ssl_srv_conf_t, certificate_keys), |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
109 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
110 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
111 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
112 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
113 ngx_http_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
114 NGX_HTTP_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
115 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
116 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
117 |
2044 | 118 { ngx_string("ssl_dhparam"), |
119 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
120 ngx_conf_set_str_slot, | |
121 NGX_HTTP_SRV_CONF_OFFSET, | |
122 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
123 NULL }, | |
124 | |
3960 | 125 { ngx_string("ssl_ecdh_curve"), |
126 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
127 ngx_conf_set_str_slot, | |
128 NGX_HTTP_SRV_CONF_OFFSET, | |
129 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
130 NULL }, | |
131 | |
547 | 132 { ngx_string("ssl_protocols"), |
563 | 133 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 134 ngx_conf_set_bitmask_slot, |
135 NGX_HTTP_SRV_CONF_OFFSET, | |
136 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
137 &ngx_http_ssl_protocols }, | |
138 | |
479 | 139 { ngx_string("ssl_ciphers"), |
563 | 140 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 141 ngx_conf_set_str_slot, |
142 NGX_HTTP_SRV_CONF_OFFSET, | |
143 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
144 NULL }, | |
145 | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
146 { ngx_string("ssl_buffer_size"), |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
147 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
148 ngx_conf_set_size_slot, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
149 NGX_HTTP_SRV_CONF_OFFSET, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
150 offsetof(ngx_http_ssl_srv_conf_t, buffer_size), |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
151 NULL }, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
152 |
647 | 153 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
154 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 155 ngx_conf_set_enum_slot, |
647 | 156 NGX_HTTP_SRV_CONF_OFFSET, |
157 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 158 &ngx_http_ssl_verify }, |
647 | 159 |
160 { ngx_string("ssl_verify_depth"), | |
5504
8ed467553f6b
SSL: fixed ssl_verify_depth to take only one argument.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5503
diff
changeset
|
161 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
647 | 162 ngx_conf_set_num_slot, |
163 NGX_HTTP_SRV_CONF_OFFSET, | |
164 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
165 NULL }, | |
166 | |
167 { ngx_string("ssl_client_certificate"), | |
168 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
169 ngx_conf_set_str_slot, | |
170 NGX_HTTP_SRV_CONF_OFFSET, | |
171 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
172 NULL }, | |
173 | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
174 { ngx_string("ssl_trusted_certificate"), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
175 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
176 ngx_conf_set_str_slot, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
177 NGX_HTTP_SRV_CONF_OFFSET, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
178 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
179 NULL }, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
180 |
547 | 181 { ngx_string("ssl_prefer_server_ciphers"), |
182 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
183 ngx_conf_set_flag_slot, | |
184 NGX_HTTP_SRV_CONF_OFFSET, | |
185 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
186 NULL }, | |
187 | |
973 | 188 { ngx_string("ssl_session_cache"), |
189 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
190 ngx_http_ssl_session_cache, | |
191 NGX_HTTP_SRV_CONF_OFFSET, | |
192 0, | |
193 NULL }, | |
194 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
195 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
196 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
197 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
198 NGX_HTTP_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
199 offsetof(ngx_http_ssl_srv_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
200 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
201 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
202 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
203 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
204 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
205 NGX_HTTP_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
206 offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
207 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
208 |
573 | 209 { ngx_string("ssl_session_timeout"), |
210 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
211 ngx_conf_set_sec_slot, | |
212 NGX_HTTP_SRV_CONF_OFFSET, | |
213 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
214 NULL }, | |
215 | |
2995 | 216 { ngx_string("ssl_crl"), |
217 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
218 ngx_conf_set_str_slot, | |
219 NGX_HTTP_SRV_CONF_OFFSET, | |
220 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
221 NULL }, | |
222 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
223 { ngx_string("ssl_ocsp"), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
224 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
225 ngx_conf_set_enum_slot, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
226 NGX_HTTP_SRV_CONF_OFFSET, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
227 offsetof(ngx_http_ssl_srv_conf_t, ocsp), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
228 &ngx_http_ssl_ocsp }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
229 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
230 { ngx_string("ssl_ocsp_responder"), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
231 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
232 ngx_conf_set_str_slot, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
233 NGX_HTTP_SRV_CONF_OFFSET, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
234 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
235 NULL }, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
236 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
237 { ngx_string("ssl_ocsp_cache"), |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
238 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
239 ngx_http_ssl_ocsp_cache, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
240 NGX_HTTP_SRV_CONF_OFFSET, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
241 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
242 NULL }, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
243 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
244 { ngx_string("ssl_stapling"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
245 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
246 ngx_conf_set_flag_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
247 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
248 offsetof(ngx_http_ssl_srv_conf_t, stapling), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
249 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
250 |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
251 { ngx_string("ssl_stapling_file"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
252 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
253 ngx_conf_set_str_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
254 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
255 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
256 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
257 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
258 { ngx_string("ssl_stapling_responder"), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
259 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
260 ngx_conf_set_str_slot, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
261 NGX_HTTP_SRV_CONF_OFFSET, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
262 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
263 NULL }, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
264 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
265 { ngx_string("ssl_stapling_verify"), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
266 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
267 ngx_conf_set_flag_slot, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
268 NGX_HTTP_SRV_CONF_OFFSET, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
269 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
270 NULL }, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
271 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
272 { ngx_string("ssl_early_data"), |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
273 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
274 ngx_conf_set_flag_slot, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
275 NGX_HTTP_SRV_CONF_OFFSET, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
276 offsetof(ngx_http_ssl_srv_conf_t, early_data), |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
277 NULL }, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
278 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
279 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
280 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
281 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
282 NGX_HTTP_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
283 offsetof(ngx_http_ssl_srv_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
284 &ngx_http_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
285 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
286 { ngx_string("ssl_reject_handshake"), |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
287 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
288 ngx_conf_set_flag_slot, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
289 NGX_HTTP_SRV_CONF_OFFSET, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
290 offsetof(ngx_http_ssl_srv_conf_t, reject_handshake), |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
291 NULL }, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
292 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
293 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
294 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
295 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
296 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
297 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 298 ngx_http_ssl_add_variables, /* preconfiguration */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
299 ngx_http_ssl_init, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
300 |
541 | 301 NULL, /* create main configuration */ |
302 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
303 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
304 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
305 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
306 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
307 NULL, /* create location configuration */ |
485 | 308 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
309 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
310 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
311 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
312 ngx_module_t ngx_http_ssl_module = { |
509 | 313 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
314 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
315 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
316 NGX_HTTP_MODULE, /* module type */ |
541 | 317 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
318 NULL, /* init module */ |
541 | 319 NULL, /* init process */ |
320 NULL, /* init thread */ | |
321 NULL, /* exit thread */ | |
322 NULL, /* exit process */ | |
323 NULL, /* exit master */ | |
324 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
325 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
326 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
327 |
611 | 328 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
329 | |
671 | 330 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 331 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 332 |
671 | 333 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 334 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 335 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
336 { ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
337 (uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
338 |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
339 { ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
340 (uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7937
diff
changeset
|
341 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
342 { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
343 (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
344 |
3154 | 345 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
346 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
347 | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
348 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
349 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5545
diff
changeset
|
350 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
351 { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
352 (uintptr_t) ngx_ssl_get_early_data, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
353 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
354 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
355 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
356 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
357 |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
358 { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
359 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7934
diff
changeset
|
360 |
2045 | 361 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
362 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
363 | |
2123 | 364 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
365 (uintptr_t) ngx_ssl_get_raw_certificate, | |
366 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
367 | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
368 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
369 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
370 NGX_HTTP_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
371 |
671 | 372 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 373 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 374 |
671 | 375 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 376 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 377 |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
378 { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
379 (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
380 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
381 { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
382 (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6591
diff
changeset
|
383 |
671 | 384 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, |
1565 | 385 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 386 |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
387 { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
388 (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5658
diff
changeset
|
389 |
2994 | 390 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
391 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
392 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
393 { ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
394 (uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
395 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
396 { ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
397 (uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
398 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
399 { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
400 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
401 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
6981
diff
changeset
|
402 ngx_http_null_variable |
611 | 403 }; |
404 | |
405 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
406 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 407 |
408 | |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
409 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
410 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
411 static int |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
412 ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
413 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
414 void *arg) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
415 { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
416 unsigned int srvlen; |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
417 unsigned char *srv; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
418 #if (NGX_DEBUG) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
419 unsigned int i; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
420 #endif |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
421 #if (NGX_HTTP_V2 || NGX_HTTP_V3) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
422 ngx_http_connection_t *hc; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
423 #endif |
9119
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
424 #if (NGX_HTTP_V2) |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
425 ngx_http_v2_srv_conf_t *h2scf; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
426 #endif |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
427 #if (NGX_HTTP_V3) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
428 ngx_http_v3_srv_conf_t *h3scf; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
429 #endif |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
430 #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG) |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
431 ngx_connection_t *c; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
432 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
433 c = ngx_ssl_get_connection(ssl_conn); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
434 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
435 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
436 #if (NGX_DEBUG) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
437 for (i = 0; i < inlen; i += in[i] + 1) { |
6474 | 438 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
6478
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
439 "SSL ALPN supported by client: %*s", |
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
440 (size_t) in[i], &in[i + 1]); |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
441 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
442 #endif |
5106
afee87b8190a
SSL: Next Protocol Negotiation extension support.
Valentin Bartenev <vbart@nginx.com>
parents:
5077
diff
changeset
|
443 |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
444 #if (NGX_HTTP_V2 || NGX_HTTP_V3) |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
445 hc = c->data; |
8269
c9c3a73df6e8
Support for HTTP/3 ALPN.
Roman Arutyunyan <arut@nginx.com>
parents:
8232
diff
changeset
|
446 #endif |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
447 |
8921
33226ac61076
HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents:
8918
diff
changeset
|
448 #if (NGX_HTTP_V3) |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
449 if (hc->addr_conf->quic) { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
450 |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
451 h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module); |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
452 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
453 if (h3scf->enable && h3scf->enable_hq) { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
454 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
455 NGX_HTTP_V3_HQ_ALPN_PROTO; |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
456 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO) |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
457 - 1; |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
458 |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
459 } else if (h3scf->enable_hq) { |
8922
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
460 srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; |
be08b858086a
HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents:
8921
diff
changeset
|
461 srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
462 |
9104
69bae2437d74
HTTP/3: removed "http3" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9085
diff
changeset
|
463 } else if (h3scf->enable) { |
8918
606bf52888d2
HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8889
diff
changeset
|
464 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; |
606bf52888d2
HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8889
diff
changeset
|
465 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
466 |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
467 } else { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
468 return SSL_TLSEXT_ERR_ALERT_FATAL; |
8626
e0947c952d43
QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8618
diff
changeset
|
469 } |
e0947c952d43
QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8618
diff
changeset
|
470 |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
471 } else |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
472 #endif |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
473 { |
9119
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
474 #if (NGX_HTTP_V2) |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
475 h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
476 |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
477 if (h2scf->enable || hc->addr_conf->http2) { |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
478 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
479 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
480 |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
481 } else |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
482 #endif |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
483 { |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
484 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
485 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1; |
08ef02ad5c54
HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9104
diff
changeset
|
486 } |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
487 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
488 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
489 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
490 in, inlen) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
491 != OPENSSL_NPN_NEGOTIATED) |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
492 { |
7937
db6b630e6086
HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
493 return SSL_TLSEXT_ERR_ALERT_FATAL; |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
494 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
495 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
496 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
6478
3ef7bb882ad4
Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6474
diff
changeset
|
497 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
498 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
499 return SSL_TLSEXT_ERR_OK; |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
500 } |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
501 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
502 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
503 |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
504 |
973 | 505 static ngx_int_t |
671 | 506 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 507 ngx_http_variable_value_t *v, uintptr_t data) |
508 { | |
671 | 509 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 510 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
511 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
512 ngx_str_t s; |
611 | 513 |
514 if (r->connection->ssl) { | |
515 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
516 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
517 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
518 v->data = s.data; |
611 | 519 |
671 | 520 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 521 |
522 v->len = len; | |
523 v->valid = 1; | |
1565 | 524 v->no_cacheable = 0; |
611 | 525 v->not_found = 0; |
526 | |
527 return NGX_OK; | |
528 } | |
529 | |
530 v->not_found = 1; | |
531 | |
532 return NGX_OK; | |
533 } | |
534 | |
535 | |
536 static ngx_int_t | |
671 | 537 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 538 uintptr_t data) |
539 { | |
671 | 540 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 541 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
542 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
543 |
647 | 544 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
545 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
546 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 547 return NGX_ERROR; |
548 } | |
549 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
550 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
551 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
552 |
647 | 553 if (v->len) { |
554 v->valid = 1; | |
1565 | 555 v->no_cacheable = 0; |
647 | 556 v->not_found = 0; |
557 | |
558 return NGX_OK; | |
559 } | |
560 } | |
561 | |
562 v->not_found = 1; | |
563 | |
564 return NGX_OK; | |
565 } | |
566 | |
567 | |
568 static ngx_int_t | |
611 | 569 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
570 { | |
571 ngx_http_variable_t *var, *v; | |
572 | |
573 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
574 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
575 if (var == NULL) { | |
576 return NGX_ERROR; | |
577 } | |
578 | |
637 | 579 var->get_handler = v->get_handler; |
611 | 580 var->data = v->data; |
581 } | |
582 | |
583 return NGX_OK; | |
584 } | |
585 | |
586 | |
501 | 587 static void * |
588 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
589 { |
971 | 590 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
591 |
971 | 592 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
593 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
594 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
595 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
596 |
479 | 597 /* |
598 * set by ngx_pcalloc(): | |
599 * | |
971 | 600 * sscf->protocols = 0; |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
601 * sscf->certificate_values = NULL; |
2044 | 602 * sscf->dhparam = { 0, NULL }; |
3960 | 603 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 604 * sscf->client_certificate = { 0, NULL }; |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
605 * sscf->trusted_certificate = { 0, NULL }; |
2995 | 606 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
607 * sscf->ciphers = { 0, NULL }; |
973 | 608 * sscf->shm_zone = NULL; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
609 * sscf->ocsp_responder = { 0, NULL }; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
610 * sscf->stapling_file = { 0, NULL }; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
611 * sscf->stapling_responder = { 0, NULL }; |
479 | 612 */ |
613 | |
2123 | 614 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
615 sscf->early_data = NGX_CONF_UNSET; |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
616 sscf->reject_handshake = NGX_CONF_UNSET; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
617 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
2710 | 618 sscf->verify = NGX_CONF_UNSET_UINT; |
619 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
620 sscf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
621 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
622 sscf->passwords = NGX_CONF_UNSET_PTR; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
623 sscf->conf_commands = NGX_CONF_UNSET_PTR; |
973 | 624 sscf->builtin_session_cache = NGX_CONF_UNSET; |
625 sscf->session_timeout = NGX_CONF_UNSET; | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
626 sscf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
627 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
628 sscf->ocsp = NGX_CONF_UNSET_UINT; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
629 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
630 sscf->stapling = NGX_CONF_UNSET; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
631 sscf->stapling_verify = NGX_CONF_UNSET; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
632 |
971 | 633 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
634 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
635 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
636 |
501 | 637 static char * |
638 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
639 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
640 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
641 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
642 |
563 | 643 ngx_pool_cleanup_t *cln; |
644 | |
573 | 645 ngx_conf_merge_value(conf->session_timeout, |
646 prev->session_timeout, 300); | |
647 | |
547 | 648 ngx_conf_merge_value(conf->prefer_server_ciphers, |
649 prev->prefer_server_ciphers, 0); | |
650 | |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
651 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
652 ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0); |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
653 |
547 | 654 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
8152
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
655 (NGX_CONF_BITMASK_SET |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
656 |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1 |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
657 |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)); |
547 | 658 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
659 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
660 NGX_SSL_BUFSIZE); |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
661 |
2123 | 662 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
663 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 664 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
665 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
666 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
667 NULL); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
668 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
669 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
670 |
2044 | 671 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
672 | |
647 | 673 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
674 ""); | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
675 ngx_conf_merge_str_value(conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
676 prev->trusted_certificate, ""); |
2995 | 677 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 678 |
3960 | 679 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
680 NGX_DEFAULT_ECDH_CURVE); | |
681 | |
2124 | 682 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 683 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
684 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
685 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
686 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
687 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
688 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
689 prev->ocsp_cache_zone, NULL); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
690 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
691 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
692 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
693 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
694 ngx_conf_merge_str_value(conf->stapling_responder, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
695 prev->stapling_responder, ""); |
479 | 696 |
547 | 697 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
698 |
9120
0aaa09927703
SSL: removed the "ssl" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9119
diff
changeset
|
699 if (conf->certificates) { |
2224 | 700 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
701 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
702 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
703 { |
2224 | 704 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
705 "no \"ssl_certificate_key\" is defined " | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
706 "for certificate \"%V\"", |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
707 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
708 + conf->certificates->nelts - 1); |
2224 | 709 return NGX_CONF_ERROR; |
710 } | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
711 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
712 } else if (!conf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
713 return NGX_CONF_OK; |
2224 | 714 } |
715 | |
969 | 716 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
717 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
718 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
719 |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
720 cln = ngx_pool_cleanup_add(cf->pool, 0); |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
721 if (cln == NULL) { |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
722 ngx_ssl_cleanup_ctx(&conf->ssl); |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
723 return NGX_CONF_ERROR; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
724 } |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
725 |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
726 cln->handler = ngx_ssl_cleanup_ctx; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
727 cln->data = &conf->ssl; |
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
728 |
1219 | 729 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
730 | |
731 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
732 ngx_http_ssl_servername) | |
733 == 0) | |
734 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
735 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 736 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
737 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
738 "therefore SNI is not available"); |
1219 | 739 } |
740 | |
741 #endif | |
742 | |
5545
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
743 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
744 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
745 #endif |
01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents:
5504
diff
changeset
|
746 |
7904
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
747 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
748 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
749 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
750 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
751 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
752 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
753 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
754 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
755 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
756 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
757 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
758 if (conf->certificate_values) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
759 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
760 #ifdef SSL_R_CERT_CB_ERROR |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
761 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
762 /* install callback to lookup certificates */ |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
763 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
764 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf); |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
765 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
766 #else |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
767 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
768 "variables in " |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
769 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
770 "directives are not supported on this platform"); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
771 return NGX_CONF_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
772 #endif |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
773 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
774 } else if (conf->certificates) { |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
775 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
776 /* configure certificates */ |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
777 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
778 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
779 conf->certificate_keys, conf->passwords) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
780 != NGX_OK) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
781 { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
782 return NGX_CONF_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
783 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
784 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
785 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
786 conf->ssl.buffer_size = conf->buffer_size; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
787 |
647 | 788 if (conf->verify) { |
2123 | 789 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
790 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
2123 | 791 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
792 "no ssl_client_certificate for ssl_verify_client"); |
2123 | 793 return NGX_CONF_ERROR; |
794 } | |
795 | |
671 | 796 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 797 &conf->client_certificate, |
798 conf->verify_depth) | |
671 | 799 != NGX_OK) |
800 { | |
801 return NGX_CONF_ERROR; | |
647 | 802 } |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
803 } |
2995 | 804 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
805 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
806 &conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
807 conf->verify_depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
808 != NGX_OK) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
809 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
810 return NGX_CONF_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
811 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
812 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
813 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
814 return NGX_CONF_ERROR; |
647 | 815 } |
816 | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
817 if (conf->ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
818 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
819 if (conf->verify == 3) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
820 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
821 "\"ssl_ocsp\" is incompatible with " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
822 "\"ssl_verify_client optional_no_ca\""); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
823 return NGX_CONF_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
824 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
825 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
826 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
827 conf->ocsp_cache_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
828 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
829 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
830 return NGX_CONF_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
831 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
832 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
833 |
2044 | 834 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
835 return NGX_CONF_ERROR; | |
836 } | |
837 | |
3960 | 838 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
839 return NGX_CONF_ERROR; | |
840 } | |
841 | |
973 | 842 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 843 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 844 |
845 if (conf->shm_zone == NULL) { | |
846 conf->shm_zone = prev->shm_zone; | |
847 } | |
848 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
849 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
850 conf->certificates, conf->builtin_session_cache, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
851 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
852 != NGX_OK) |
973 | 853 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
854 return NGX_CONF_ERROR; |
973 | 855 } |
573 | 856 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
857 ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
858 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
859 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
860 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
861 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
862 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
863 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5487
diff
changeset
|
864 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
865 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
866 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
867 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
868 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
869 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
870 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
871 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
872 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5387
diff
changeset
|
873 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
874 if (conf->stapling) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
875 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
876 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
877 &conf->stapling_responder, conf->stapling_verify) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
878 != NGX_OK) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
879 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
880 return NGX_CONF_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
881 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
882 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
883 } |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
884 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
885 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
886 return NGX_CONF_ERROR; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
887 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
888 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
889 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
890 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
891 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
892 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
893 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
894 } |
563 | 895 |
896 | |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
897 static ngx_int_t |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
898 ngx_http_ssl_compile_certificates(ngx_conf_t *cf, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
899 ngx_http_ssl_srv_conf_t *conf) |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
900 { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
901 ngx_str_t *cert, *key; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
902 ngx_uint_t i, nelts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
903 ngx_http_complex_value_t *cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
904 ngx_http_compile_complex_value_t ccv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
905 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
906 if (conf->certificates == NULL) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
907 return NGX_OK; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
908 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
909 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
910 cert = conf->certificates->elts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
911 key = conf->certificate_keys->elts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
912 nelts = conf->certificates->nelts; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
913 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
914 for (i = 0; i < nelts; i++) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
915 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
916 if (ngx_http_script_variables_count(&cert[i])) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
917 goto found; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
918 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
919 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
920 if (ngx_http_script_variables_count(&key[i])) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
921 goto found; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
922 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
923 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
924 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
925 return NGX_OK; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
926 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
927 found: |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
928 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
929 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
930 sizeof(ngx_http_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
931 if (conf->certificate_values == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
932 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
933 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
934 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
935 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
936 sizeof(ngx_http_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
937 if (conf->certificate_key_values == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
938 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
939 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
940 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
941 for (i = 0; i < nelts; i++) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
942 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
943 cv = ngx_array_push(conf->certificate_values); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
944 if (cv == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
945 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
946 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
947 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
948 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
949 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
950 ccv.cf = cf; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
951 ccv.value = &cert[i]; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
952 ccv.complex_value = cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
953 ccv.zero = 1; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
954 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
955 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
956 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
957 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
958 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
959 cv = ngx_array_push(conf->certificate_key_values); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
960 if (cv == NULL) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
961 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
962 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
963 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
964 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
965 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
966 ccv.cf = cf; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
967 ccv.value = &key[i]; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
968 ccv.complex_value = cv; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
969 ccv.zero = 1; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
970 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
971 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
972 return NGX_ERROR; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
973 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
974 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
975 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
976 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
977 if (conf->passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
978 return NGX_ERROR; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
979 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7462
diff
changeset
|
980 |
7462
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
981 return NGX_OK; |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
982 } |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
983 |
be2af41d3620
SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
984 |
973 | 985 static char * |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
986 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
987 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
988 ngx_http_ssl_srv_conf_t *sscf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
989 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
990 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
991 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
992 if (sscf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
993 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
994 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
995 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
996 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
997 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
998 sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
999 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1000 if (sscf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1001 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1002 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1003 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1004 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1005 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1006 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1007 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1008 static char * |
973 | 1009 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
1010 { | |
1011 ngx_http_ssl_srv_conf_t *sscf = conf; | |
1012 | |
1013 size_t len; | |
1014 ngx_str_t *value, name, size; | |
1015 ngx_int_t n; | |
1016 ngx_uint_t i, j; | |
1017 | |
1018 value = cf->args->elts; | |
1019 | |
1020 for (i = 1; i < cf->args->nelts; i++) { | |
1021 | |
1778 | 1022 if (ngx_strcmp(value[i].data, "off") == 0) { |
1023 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
1024 continue; | |
1025 } | |
1026 | |
2032 | 1027 if (ngx_strcmp(value[i].data, "none") == 0) { |
1028 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
1029 continue; | |
1030 } | |
1031 | |
973 | 1032 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1033 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 1034 continue; |
1035 } | |
1036 | |
1037 if (value[i].len > sizeof("builtin:") - 1 | |
1038 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
1039 == 0) | |
1040 { | |
1041 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
1042 value[i].len - (sizeof("builtin:") - 1)); | |
1043 | |
1044 if (n == NGX_ERROR) { | |
1045 goto invalid; | |
1046 } | |
1047 | |
1048 sscf->builtin_session_cache = n; | |
1049 | |
1050 continue; | |
1051 } | |
1052 | |
1053 if (value[i].len > sizeof("shared:") - 1 | |
1054 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
1055 == 0) | |
1056 { | |
1057 len = 0; | |
1058 | |
1059 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
1060 if (value[i].data[j] == ':') { | |
1061 break; | |
1062 } | |
1063 | |
1064 len++; | |
1065 } | |
1066 | |
8088
e32b48848add
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7973
diff
changeset
|
1067 if (len == 0 || j == value[i].len) { |
973 | 1068 goto invalid; |
1069 } | |
1070 | |
1071 name.len = len; | |
1072 name.data = value[i].data + sizeof("shared:") - 1; | |
1073 | |
1074 size.len = value[i].len - j - 1; | |
1075 size.data = name.data + len + 1; | |
1076 | |
1077 n = ngx_parse_size(&size); | |
1078 | |
1079 if (n == NGX_ERROR) { | |
1080 goto invalid; | |
1081 } | |
1082 | |
1083 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1084 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1085 "session cache \"%V\" is too small", |
973 | 1086 &value[i]); |
1087 | |
1088 return NGX_CONF_ERROR; | |
1089 } | |
1090 | |
1091 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1092 &ngx_http_ssl_module); | |
1093 if (sscf->shm_zone == NULL) { | |
1094 return NGX_CONF_ERROR; | |
1095 } | |
1096 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1097 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1098 |
973 | 1099 continue; |
1100 } | |
1101 | |
1102 goto invalid; | |
1103 } | |
1104 | |
1105 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
1106 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 1107 } |
1108 | |
1109 return NGX_CONF_OK; | |
1110 | |
1111 invalid: | |
1112 | |
1113 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1114 "invalid session cache \"%V\"", &value[i]); | |
1115 | |
1116 return NGX_CONF_ERROR; | |
1117 } | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1118 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1119 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1120 static char * |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1121 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1122 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1123 ngx_http_ssl_srv_conf_t *sscf = conf; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1124 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1125 size_t len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1126 ngx_int_t n; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1127 ngx_str_t *value, name, size; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1128 ngx_uint_t j; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1129 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1130 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1131 return "is duplicate"; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1132 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1133 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1134 value = cf->args->elts; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1135 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1136 if (ngx_strcmp(value[1].data, "off") == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1137 sscf->ocsp_cache_zone = NULL; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1138 return NGX_CONF_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1139 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1140 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1141 if (value[1].len <= sizeof("shared:") - 1 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1142 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1143 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1144 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1145 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1146 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1147 len = 0; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1148 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1149 for (j = sizeof("shared:") - 1; j < value[1].len; j++) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1150 if (value[1].data[j] == ':') { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1151 break; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1152 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1153 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1154 len++; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1155 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1156 |
8088
e32b48848add
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7973
diff
changeset
|
1157 if (len == 0 || j == value[1].len) { |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1158 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1159 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1160 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1161 name.len = len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1162 name.data = value[1].data + sizeof("shared:") - 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1163 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1164 size.len = value[1].len - j - 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1165 size.data = name.data + len + 1; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1166 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1167 n = ngx_parse_size(&size); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1168 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1169 if (n == NGX_ERROR) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1170 goto invalid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1171 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1172 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1173 if (n < (ngx_int_t) (8 * ngx_pagesize)) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1174 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1175 "OCSP cache \"%V\" is too small", &value[1]); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1176 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1177 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1178 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1179 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1180 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1181 &ngx_http_ssl_module_ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1182 if (sscf->ocsp_cache_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1183 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1184 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1185 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1186 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1187 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1188 return NGX_CONF_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1189 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1190 invalid: |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1191 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1192 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1193 "invalid OCSP cache \"%V\"", &value[1]); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1194 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1195 return NGX_CONF_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1196 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1197 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1198 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1199 static char * |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1200 ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1201 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1202 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1203 return "is not supported on this platform"; |
7787
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7732
diff
changeset
|
1204 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7732
diff
changeset
|
1205 return NGX_CONF_OK; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1206 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1207 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1208 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7654
diff
changeset
|
1209 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1210 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1211 ngx_http_ssl_init(ngx_conf_t *cf) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1212 { |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1213 ngx_uint_t a, p, s; |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1214 const char *name; |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1215 ngx_http_conf_addr_t *addr; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1216 ngx_http_conf_port_t *port; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1217 ngx_http_ssl_srv_conf_t *sscf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1218 ngx_http_core_loc_conf_t *clcf; |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1219 ngx_http_core_srv_conf_t **cscfp, *cscf; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1220 ngx_http_core_main_conf_t *cmcf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1221 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1222 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1223 cscfp = cmcf->servers.elts; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1225 for (s = 0; s < cmcf->servers.nelts; s++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1226 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1227 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1228 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1229 if (sscf->ssl.ctx == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1230 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1231 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1232 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1233 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1234 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1235 if (sscf->stapling) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1236 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1237 clcf->resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1238 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1239 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1240 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1241 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1242 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1243 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1244 if (sscf->ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1245 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1246 clcf->resolver_timeout) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1247 != NGX_OK) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1248 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1249 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7567
diff
changeset
|
1250 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1251 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1252 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1253 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1254 if (cmcf->ports == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1255 return NGX_OK; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1256 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1257 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1258 port = cmcf->ports->elts; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1259 for (p = 0; p < cmcf->ports->nelts; p++) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1260 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1261 addr = port[p].addrs.elts; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1262 for (a = 0; a < port[p].addrs.nelts; a++) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1263 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1264 if (!addr[a].opt.ssl && !addr[a].opt.quic) { |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1265 continue; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1266 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1267 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1268 if (addr[a].opt.quic) { |
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1269 name = "quic"; |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1270 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1271 #if (NGX_QUIC_OPENSSL_COMPAT) |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1272 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) { |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1273 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1274 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1275 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
9035
diff
changeset
|
1276 |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1277 } else { |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1278 name = "ssl"; |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1279 } |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1280 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1281 cscf = addr[a].default_server; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1282 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1283 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1284 if (sscf->certificates) { |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1285 |
9081
c851a2ed5ce8
HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
1286 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1287 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1288 "\"ssl_protocols\" must enable TLSv1.3 for " |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1289 "the \"listen ... %s\" directive in %s:%ui", |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1290 name, cscf->file_name, cscf->line); |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1291 return NGX_ERROR; |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1292 } |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1293 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1294 continue; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1295 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1296 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1297 if (!sscf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1298 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1299 "no \"ssl_certificate\" is defined for " |
8869
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1300 "the \"listen ... %s\" directive in %s:%ui", |
e5a17d6041bd
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8839
diff
changeset
|
1301 name, cscf->file_name, cscf->line); |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1302 return NGX_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1303 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1304 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1305 /* |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1306 * if no certificates are defined in the default server, |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1307 * check all non-default server blocks |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1308 */ |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1309 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1310 cscfp = addr[a].servers.elts; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1311 for (s = 0; s < addr[a].servers.nelts; s++) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1312 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1313 cscf = cscfp[s]; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1314 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1315 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1316 if (sscf->certificates || sscf->reject_handshake) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1317 continue; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1318 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1319 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1320 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1321 "no \"ssl_certificate\" is defined for " |
8481
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1322 "the \"listen ... %s\" directive in %s:%ui", |
0d2b2664b41c
QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents:
8411
diff
changeset
|
1323 name, cscf->file_name, cscf->line); |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1324 return NGX_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1325 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1326 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1327 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
1328 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1329 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
1330 } |
9083
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1331 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1332 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1333 #if (NGX_QUIC_OPENSSL_COMPAT) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1334 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1335 static ngx_int_t |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1336 ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr) |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1337 { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1338 ngx_uint_t s; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1339 ngx_http_ssl_srv_conf_t *sscf; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1340 ngx_http_core_srv_conf_t **cscfp, *cscf; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1341 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1342 cscfp = addr->servers.elts; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1343 for (s = 0; s < addr->servers.nelts; s++) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1344 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1345 cscf = cscfp[s]; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1346 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1347 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1348 if (sscf->certificates || sscf->reject_handshake) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1349 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1350 return NGX_ERROR; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1351 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1352 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1353 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1354 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1355 return NGX_OK; |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1356 } |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1357 |
5fd628b89bb7
HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9081
diff
changeset
|
1358 #endif |