Mercurial > hg > nginx

annotate src/http/modules/ngx_http_ssl_module.c @ 9274:46ecad404a29 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Mail: reset imap tag to empty after authentication attempt. We need to reset the imap tag to empty after an authentication attempt completes, otherwise if the next line parsed is incomplete with no tag (e.g. empty line) then we use the "tag" from the previous buffer which is now definitely wrong and has been partially overwritten with the most recently read data (e.g. CRLF). An example before this patch: S: * OK IMAP4 ready C: foobar login a b S: foobar NO Incorrect username or password. C: S: S: obar BAD invalid command Then with this patch: S: * OK IMAP4 ready C: foobar login a b S: foobar NO Incorrect username or password. C: S: * BAD invalid command
author Rob Mueller <robm@fastmailteam.com>
date Wed, 15 May 2024 10:06:00 +0300
parents 0aaa09927703
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2 /*
444
42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents: 441
diff changeset
3 * Copyright (C) Igor Sysoev
4412
d620f497c50f Copyright updated.
Maxim Konovalov <maxim@nginx.com>
parents: 4400
diff changeset
4 * Copyright (C) Nginx, Inc.
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
6
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
7
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
8 #include <ngx_config.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
9 #include <ngx_core.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
10 #include <ngx_http.h>
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
11
9080
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
12 #if (NGX_QUIC_OPENSSL_COMPAT)
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
13 #include <ngx_event_quic_openssl_compat.h>
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
14 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
15
573
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
16
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
17 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
18 ngx_pool_t *pool, ngx_str_t *s);
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
19
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
20
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
21 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6550
diff changeset
22 #define NGX_DEFAULT_ECDH_CURVE "auto"
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
23
7937
db6b630e6086 HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents: 7935
diff changeset
24 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
25
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
26
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
27 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
28 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
29 const unsigned char **out, unsigned char *outlen,
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
30 const unsigned char *in, unsigned int inlen, void *arg);
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
31 #endif
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
32
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
33 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
34 ngx_http_variable_value_t *v, uintptr_t data);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
35 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
36 ngx_http_variable_value_t *v, uintptr_t data);
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
37
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
38 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
39 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
40 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
501
d4ea69372b94 nginx-0.1.25-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 485
diff changeset
41 void *parent, void *child);
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
42
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
43 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
44 ngx_http_ssl_srv_conf_t *conf);
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
45
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
46 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
47 void *conf);
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
48 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
49 void *conf);
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
50 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
51 void *conf);
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
52
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
53 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
54 void *data);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
55
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
9083
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
57 #if (NGX_QUIC_OPENSSL_COMPAT)
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
58 static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf,
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
59 ngx_http_conf_addr_t *addr);
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
60 #endif
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
61
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
62
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
63 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
64 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
65 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
66 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4273
diff changeset
67 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4273
diff changeset
68 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
6981
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6817
diff changeset
69 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
70 { ngx_null_string, 0 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
71 };
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
72
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
73
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
74 static ngx_conf_enum_t ngx_http_ssl_verify[] = {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
75 { ngx_string("off"), 0 },
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
76 { ngx_string("on"), 1 },
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
77 { ngx_string("optional"), 2 },
4884
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
78 { ngx_string("optional_no_ca"), 3 },
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
79 { ngx_null_string, 0 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
80 };
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
81
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
82
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
83 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
84 { ngx_string("off"), 0 },
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
85 { ngx_string("on"), 1 },
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
86 { ngx_string("leaf"), 2 },
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
87 { ngx_null_string, 0 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
88 };
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
89
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
90
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
91 static ngx_conf_post_t ngx_http_ssl_conf_command_post =
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
92 { ngx_http_ssl_conf_command_check };
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
93
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
94
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
95 static ngx_command_t ngx_http_ssl_commands[] = {
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
96
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
97 { ngx_string("ssl_certificate"),
599
869b6444d234 nginx-0.3.21-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 573
diff changeset
98 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
99 ngx_conf_set_str_array_slot,
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
100 NGX_HTTP_SRV_CONF_OFFSET,
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
101 offsetof(ngx_http_ssl_srv_conf_t, certificates),
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
102 NULL },
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
103
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
104 { ngx_string("ssl_certificate_key"),
599
869b6444d234 nginx-0.3.21-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 573
diff changeset
105 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
106 ngx_conf_set_str_array_slot,
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
107 NGX_HTTP_SRV_CONF_OFFSET,
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
108 offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
109 NULL },
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
110
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
111 { ngx_string("ssl_password_file"),
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
112 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
113 ngx_http_ssl_password_file,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
114 NGX_HTTP_SRV_CONF_OFFSET,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
115 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
116 NULL },
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
117
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
118 { ngx_string("ssl_dhparam"),
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
119 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
120 ngx_conf_set_str_slot,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
121 NGX_HTTP_SRV_CONF_OFFSET,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
122 offsetof(ngx_http_ssl_srv_conf_t, dhparam),
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
123 NULL },
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
124
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
125 { ngx_string("ssl_ecdh_curve"),
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
126 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
127 ngx_conf_set_str_slot,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
128 NGX_HTTP_SRV_CONF_OFFSET,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
129 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
130 NULL },
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
131
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
132 { ngx_string("ssl_protocols"),
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
133 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
134 ngx_conf_set_bitmask_slot,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
135 NGX_HTTP_SRV_CONF_OFFSET,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
136 offsetof(ngx_http_ssl_srv_conf_t, protocols),
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
137 &ngx_http_ssl_protocols },
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
138
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
139 { ngx_string("ssl_ciphers"),
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
140 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
141 ngx_conf_set_str_slot,
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
142 NGX_HTTP_SRV_CONF_OFFSET,
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
143 offsetof(ngx_http_ssl_srv_conf_t, ciphers),
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
144 NULL },
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
145
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
146 { ngx_string("ssl_buffer_size"),
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
147 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
148 ngx_conf_set_size_slot,
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
149 NGX_HTTP_SRV_CONF_OFFSET,
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
150 offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
151 NULL },
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
152
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
153 { ngx_string("ssl_verify_client"),
4273
e444e8f6538b Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents: 4234
diff changeset
154 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
155 ngx_conf_set_enum_slot,
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
156 NGX_HTTP_SRV_CONF_OFFSET,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
157 offsetof(ngx_http_ssl_srv_conf_t, verify),
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
158 &ngx_http_ssl_verify },
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
159
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
160 { ngx_string("ssl_verify_depth"),
5504
8ed467553f6b SSL: fixed ssl_verify_depth to take only one argument.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5503
diff changeset
161 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
162 ngx_conf_set_num_slot,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
163 NGX_HTTP_SRV_CONF_OFFSET,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
164 offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
165 NULL },
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
166
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
167 { ngx_string("ssl_client_certificate"),
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
168 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
169 ngx_conf_set_str_slot,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
170 NGX_HTTP_SRV_CONF_OFFSET,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
171 offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
172 NULL },
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
173
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
174 { ngx_string("ssl_trusted_certificate"),
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
175 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
176 ngx_conf_set_str_slot,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
177 NGX_HTTP_SRV_CONF_OFFSET,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
178 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
179 NULL },
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
180
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
181 { ngx_string("ssl_prefer_server_ciphers"),
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
182 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
183 ngx_conf_set_flag_slot,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
184 NGX_HTTP_SRV_CONF_OFFSET,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
185 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
186 NULL },
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
187
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
188 { ngx_string("ssl_session_cache"),
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
189 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
190 ngx_http_ssl_session_cache,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
191 NGX_HTTP_SRV_CONF_OFFSET,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
192 0,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
193 NULL },
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
194
5503
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
195 { ngx_string("ssl_session_tickets"),
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
196 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
197 ngx_conf_set_flag_slot,
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
198 NGX_HTTP_SRV_CONF_OFFSET,
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
199 offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
200 NULL },
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
201
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
202 { ngx_string("ssl_session_ticket_key"),
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
203 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
204 ngx_conf_set_str_array_slot,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
205 NGX_HTTP_SRV_CONF_OFFSET,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
206 offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
207 NULL },
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
208
573
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
209 { ngx_string("ssl_session_timeout"),
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
210 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
211 ngx_conf_set_sec_slot,
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
212 NGX_HTTP_SRV_CONF_OFFSET,
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
213 offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
214 NULL },
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
215
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
216 { ngx_string("ssl_crl"),
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
217 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
218 ngx_conf_set_str_slot,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
219 NGX_HTTP_SRV_CONF_OFFSET,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
220 offsetof(ngx_http_ssl_srv_conf_t, crl),
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
221 NULL },
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
222
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
223 { ngx_string("ssl_ocsp"),
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
224 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
225 ngx_conf_set_enum_slot,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
226 NGX_HTTP_SRV_CONF_OFFSET,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
227 offsetof(ngx_http_ssl_srv_conf_t, ocsp),
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
228 &ngx_http_ssl_ocsp },
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
229
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
230 { ngx_string("ssl_ocsp_responder"),
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
231 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
232 ngx_conf_set_str_slot,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
233 NGX_HTTP_SRV_CONF_OFFSET,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
234 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder),
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
235 NULL },
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
236
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
237 { ngx_string("ssl_ocsp_cache"),
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
238 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
239 ngx_http_ssl_ocsp_cache,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
240 NGX_HTTP_SRV_CONF_OFFSET,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
241 0,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
242 NULL },
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
243
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
244 { ngx_string("ssl_stapling"),
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
245 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
246 ngx_conf_set_flag_slot,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
247 NGX_HTTP_SRV_CONF_OFFSET,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
248 offsetof(ngx_http_ssl_srv_conf_t, stapling),
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
249 NULL },
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
250
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
251 { ngx_string("ssl_stapling_file"),
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
252 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
253 ngx_conf_set_str_slot,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
254 NGX_HTTP_SRV_CONF_OFFSET,
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
255 offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
256 NULL },
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
257
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
258 { ngx_string("ssl_stapling_responder"),
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
259 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
260 ngx_conf_set_str_slot,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
261 NGX_HTTP_SRV_CONF_OFFSET,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
262 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
263 NULL },
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
264
4879
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
265 { ngx_string("ssl_stapling_verify"),
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
266 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
267 ngx_conf_set_flag_slot,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
268 NGX_HTTP_SRV_CONF_OFFSET,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
269 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
270 NULL },
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
271
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
272 { ngx_string("ssl_early_data"),
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
273 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
274 ngx_conf_set_flag_slot,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
275 NGX_HTTP_SRV_CONF_OFFSET,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
276 offsetof(ngx_http_ssl_srv_conf_t, early_data),
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
277 NULL },
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
278
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
279 { ngx_string("ssl_conf_command"),
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
280 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
281 ngx_conf_set_keyval_slot,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
282 NGX_HTTP_SRV_CONF_OFFSET,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
283 offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
284 &ngx_http_ssl_conf_command_post },
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
285
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
286 { ngx_string("ssl_reject_handshake"),
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
287 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
288 ngx_conf_set_flag_slot,
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
289 NGX_HTTP_SRV_CONF_OFFSET,
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
290 offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
291 NULL },
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
292
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
293 ngx_null_command
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
294 };
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
295
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
296
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
297 static ngx_http_module_t ngx_http_ssl_module_ctx = {
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
298 ngx_http_ssl_add_variables, /* preconfiguration */
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
299 ngx_http_ssl_init, /* postconfiguration */
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
300
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
301 NULL, /* create main configuration */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
302 NULL, /* init main configuration */
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
303
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
304 ngx_http_ssl_create_srv_conf, /* create server configuration */
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
305 ngx_http_ssl_merge_srv_conf, /* merge server configuration */
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
306
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
307 NULL, /* create location configuration */
485
4ebe09b07e30 nginx-0.1.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
308 NULL /* merge location configuration */
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
309 };
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
310
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
311
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
312 ngx_module_t ngx_http_ssl_module = {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 507
diff changeset
313 NGX_MODULE_V1,
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
314 &ngx_http_ssl_module_ctx, /* module context */
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
315 ngx_http_ssl_commands, /* module directives */
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
316 NGX_HTTP_MODULE, /* module type */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
317 NULL, /* init master */
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents: 392
diff changeset
318 NULL, /* init module */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
319 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
320 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
321 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
322 NULL, /* exit process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
323 NULL, /* exit master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 529
diff changeset
324 NGX_MODULE_V1_PADDING
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
325 };
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
326
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
327
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
328 static ngx_http_variable_t ngx_http_ssl_vars[] = {
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
329
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
330 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
331 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
332
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
333 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
334 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
335
6816
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
336 { ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
337 (uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
338
7973
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7937
diff changeset
339 { ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable,
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7937
diff changeset
340 (uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 },
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7937
diff changeset
341
6817
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
342 { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
343 (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
344
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3140
diff changeset
345 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3140
diff changeset
346 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3140
diff changeset
347
5573
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5545
diff changeset
348 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5545
diff changeset
349 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5545
diff changeset
350
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
351 { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
352 (uintptr_t) ngx_ssl_get_early_data,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
353 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
354
5658
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
355 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
356 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
357
7935
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7934
diff changeset
358 { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7934
diff changeset
359 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7934
diff changeset
360
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
361 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
362 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
363
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
364 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
365 (uintptr_t) ngx_ssl_get_raw_certificate,
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
366 NGX_HTTP_VAR_CHANGEABLE, 0 },
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
367
7091
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7077
diff changeset
368 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7077
diff changeset
369 (uintptr_t) ngx_ssl_get_escaped_certificate,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7077
diff changeset
370 NGX_HTTP_VAR_CHANGEABLE, 0 },
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7077
diff changeset
371
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
372 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
373 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
374
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
375 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
376 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
377
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
378 { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
379 (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
380
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
381 { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
382 (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6591
diff changeset
383
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
384 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
385 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
386
5700
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5658
diff changeset
387 { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5658
diff changeset
388 (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5658
diff changeset
389
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
390 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
391 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
392
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
393 { ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
394 (uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 },
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
395
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
396 { ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
397 (uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 },
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
398
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
399 { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
400 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
401
7077
2a288909abc6 Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents: 6981
diff changeset
402 ngx_http_null_variable
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
403 };
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
404
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
405
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
406 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
407
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
408
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
409 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
410
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
411 static int
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
412 ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
413 unsigned char *outlen, const unsigned char *in, unsigned int inlen,
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
414 void *arg)
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
415 {
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
416 unsigned int srvlen;
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
417 unsigned char *srv;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
418 #if (NGX_DEBUG)
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
419 unsigned int i;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
420 #endif
8921
33226ac61076 HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents: 8918
diff changeset
421 #if (NGX_HTTP_V2 || NGX_HTTP_V3)
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
422 ngx_http_connection_t *hc;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
423 #endif
9119
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
424 #if (NGX_HTTP_V2)
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
425 ngx_http_v2_srv_conf_t *h2scf;
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
426 #endif
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
427 #if (NGX_HTTP_V3)
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
428 ngx_http_v3_srv_conf_t *h3scf;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
429 #endif
8921
33226ac61076 HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents: 8918
diff changeset
430 #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG)
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
431 ngx_connection_t *c;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
432
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
433 c = ngx_ssl_get_connection(ssl_conn);
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
434 #endif
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
435
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
436 #if (NGX_DEBUG)
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
437 for (i = 0; i < inlen; i += in[i] + 1) {
6474
Ruslan Ermilov <ru@nginx.com>
parents: 6246
diff changeset
438 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
6478
3ef7bb882ad4 Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
439 "SSL ALPN supported by client: %*s",
3ef7bb882ad4 Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
440 (size_t) in[i], &in[i + 1]);
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
441 }
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
442 #endif
5106
afee87b8190a SSL: Next Protocol Negotiation extension support.
Valentin Bartenev <vbart@nginx.com>
parents: 5077
diff changeset
443
8921
33226ac61076 HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents: 8918
diff changeset
444 #if (NGX_HTTP_V2 || NGX_HTTP_V3)
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
445 hc = c->data;
8269
c9c3a73df6e8 Support for HTTP/3 ALPN.
Roman Arutyunyan <arut@nginx.com>
parents: 8232
diff changeset
446 #endif
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
447
8921
33226ac61076 HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module.
Roman Arutyunyan <arut@nginx.com>
parents: 8918
diff changeset
448 #if (NGX_HTTP_V3)
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
449 if (hc->addr_conf->quic) {
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
450
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
451 h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
452
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
453 if (h3scf->enable && h3scf->enable_hq) {
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
454 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
455 NGX_HTTP_V3_HQ_ALPN_PROTO;
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
456 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO)
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
457 - 1;
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
458
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
459 } else if (h3scf->enable_hq) {
8922
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
460 srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO;
be08b858086a HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro.
Roman Arutyunyan <arut@nginx.com>
parents: 8921
diff changeset
461 srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1;
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
462
9104
69bae2437d74 HTTP/3: removed "http3" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9085
diff changeset
463 } else if (h3scf->enable) {
8918
606bf52888d2 HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8889
diff changeset
464 srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO;
606bf52888d2 HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8889
diff changeset
465 srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1;
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
466
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
467 } else {
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
468 return SSL_TLSEXT_ERR_ALERT_FATAL;
8626
e0947c952d43 QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8618
diff changeset
469 }
e0947c952d43 QUIC: multiple versions support in ALPN.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8618
diff changeset
470
8481
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
471 } else
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
472 #endif
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
473 {
9119
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
474 #if (NGX_HTTP_V2)
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
475 h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
476
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
477 if (h2scf->enable || hc->addr_conf->http2) {
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
478 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
479 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
480
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
481 } else
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
482 #endif
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
483 {
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
484 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
485 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
08ef02ad5c54 HTTP/2: "http2" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9104
diff changeset
486 }
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
487 }
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
488
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
489 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
490 in, inlen)
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
491 != OPENSSL_NPN_NEGOTIATED)
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
492 {
7937
db6b630e6086 HTTP: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents: 7935
diff changeset
493 return SSL_TLSEXT_ERR_ALERT_FATAL;
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
494 }
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
495
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
496 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
6478
3ef7bb882ad4 Fixed logging with variable field width.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
497 "SSL ALPN selected: %*s", (size_t) *outlen, *out);
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
498
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
499 return SSL_TLSEXT_ERR_OK;
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
500 }
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
501
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
502 #endif
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
503
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
504
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
505 static ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
506 ngx_http_ssl_static_variable(ngx_http_request_t *r,
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
507 ngx_http_variable_value_t *v, uintptr_t data)
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
508 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
509 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
510
1310
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
511 size_t len;
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
512 ngx_str_t s;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
513
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
514 if (r->connection->ssl) {
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
515
1310
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
516 (void) handler(r->connection, NULL, &s);
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
517
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
518 v->data = s.data;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
519
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
520 for (len = 0; v->data[len]; len++) { /* void */ }
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
521
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
522 v->len = len;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
523 v->valid = 1;
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
524 v->no_cacheable = 0;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
525 v->not_found = 0;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
526
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
527 return NGX_OK;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
528 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
529
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
530 v->not_found = 1;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
531
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
532 return NGX_OK;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
533 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
534
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
535
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
536 static ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
537 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
538 uintptr_t data)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
539 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
540 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
541
1310
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
542 ngx_str_t s;
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
543
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
544 if (r->connection->ssl) {
1310
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
545
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
546 if (handler(r->connection, r->pool, &s) != NGX_OK) {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
547 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
548 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
549
1310
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
550 v->len = s.len;
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
551 v->data = s.data;
33d6c994a0b2 Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents: 1219
diff changeset
552
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
553 if (v->len) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
554 v->valid = 1;
1565
4c43e25d11ea fix English grammar
Igor Sysoev <igor@sysoev.ru>
parents: 1310
diff changeset
555 v->no_cacheable = 0;
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
556 v->not_found = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
557
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
558 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
559 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
560 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
561
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
562 v->not_found = 1;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
563
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
564 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
565 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
566
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
567
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
568 static ngx_int_t
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
569 ngx_http_ssl_add_variables(ngx_conf_t *cf)
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
570 {
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
571 ngx_http_variable_t *var, *v;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
572
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
573 for (v = ngx_http_ssl_vars; v->name.len; v++) {
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
574 var = ngx_http_add_variable(cf, &v->name, v->flags);
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
575 if (var == NULL) {
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
576 return NGX_ERROR;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
577 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
578
637
e60fe4cf1d4e nginx-0.3.40-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
579 var->get_handler = v->get_handler;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
580 var->data = v->data;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
581 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
582
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
583 return NGX_OK;
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
584 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
585
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 599
diff changeset
586
501
d4ea69372b94 nginx-0.1.25-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 485
diff changeset
587 static void *
d4ea69372b94 nginx-0.1.25-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 485
diff changeset
588 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
589 {
971
948acd940145 style fix: scf > sscf
Igor Sysoev <igor@sysoev.ru>
parents: 970
diff changeset
590 ngx_http_ssl_srv_conf_t *sscf;
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
591
971
948acd940145 style fix: scf > sscf
Igor Sysoev <igor@sysoev.ru>
parents: 970
diff changeset
592 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
948acd940145 style fix: scf > sscf
Igor Sysoev <igor@sysoev.ru>
parents: 970
diff changeset
593 if (sscf == NULL) {
2912
c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
594 return NULL;
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
595 }
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
596
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
597 /*
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
598 * set by ngx_pcalloc():
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
599 *
971
948acd940145 style fix: scf > sscf
Igor Sysoev <igor@sysoev.ru>
parents: 970
diff changeset
600 * sscf->protocols = 0;
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
601 * sscf->certificate_values = NULL;
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
602 * sscf->dhparam = { 0, NULL };
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
603 * sscf->ecdh_curve = { 0, NULL };
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
604 * sscf->client_certificate = { 0, NULL };
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
605 * sscf->trusted_certificate = { 0, NULL };
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
606 * sscf->crl = { 0, NULL };
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3209
diff changeset
607 * sscf->ciphers = { 0, NULL };
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
608 * sscf->shm_zone = NULL;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
609 * sscf->ocsp_responder = { 0, NULL };
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
610 * sscf->stapling_file = { 0, NULL };
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
611 * sscf->stapling_responder = { 0, NULL };
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
612 */
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
613
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
614 sscf->prefer_server_ciphers = NGX_CONF_UNSET;
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
615 sscf->early_data = NGX_CONF_UNSET;
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
616 sscf->reject_handshake = NGX_CONF_UNSET;
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
617 sscf->buffer_size = NGX_CONF_UNSET_SIZE;
2710
218ee852de73 fix building by MSVC8
Igor Sysoev <igor@sysoev.ru>
parents: 2224
diff changeset
618 sscf->verify = NGX_CONF_UNSET_UINT;
218ee852de73 fix building by MSVC8
Igor Sysoev <igor@sysoev.ru>
parents: 2224
diff changeset
619 sscf->verify_depth = NGX_CONF_UNSET_UINT;
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
620 sscf->certificates = NGX_CONF_UNSET_PTR;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
621 sscf->certificate_keys = NGX_CONF_UNSET_PTR;
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
622 sscf->passwords = NGX_CONF_UNSET_PTR;
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
623 sscf->conf_commands = NGX_CONF_UNSET_PTR;
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
624 sscf->builtin_session_cache = NGX_CONF_UNSET;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
625 sscf->session_timeout = NGX_CONF_UNSET;
5503
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
626 sscf->session_tickets = NGX_CONF_UNSET;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
627 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
628 sscf->ocsp = NGX_CONF_UNSET_UINT;
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
629 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
630 sscf->stapling = NGX_CONF_UNSET;
4879
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
631 sscf->stapling_verify = NGX_CONF_UNSET;
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
632
971
948acd940145 style fix: scf > sscf
Igor Sysoev <igor@sysoev.ru>
parents: 970
diff changeset
633 return sscf;
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
634 }
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
635
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
636
501
d4ea69372b94 nginx-0.1.25-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 485
diff changeset
637 static char *
d4ea69372b94 nginx-0.1.25-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 485
diff changeset
638 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
639 {
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
640 ngx_http_ssl_srv_conf_t *prev = parent;
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
641 ngx_http_ssl_srv_conf_t *conf = child;
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
642
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
643 ngx_pool_cleanup_t *cln;
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
644
573
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
645 ngx_conf_merge_value(conf->session_timeout,
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
646 prev->session_timeout, 300);
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
647
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
648 ngx_conf_merge_value(conf->prefer_server_ciphers,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
649 prev->prefer_server_ciphers, 0);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
650
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
651 ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
652 ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
653
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
654 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
8152
d1cf09451ae8 SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8088
diff changeset
655 (NGX_CONF_BITMASK_SET
d1cf09451ae8 SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8088
diff changeset
656 |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
d1cf09451ae8 SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8088
diff changeset
657 |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
658
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
659 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
660 NGX_SSL_BUFSIZE);
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
661
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
662 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
663 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
664
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
665 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
666 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
667 NULL);
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
668
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
669 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
670
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
671 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
672
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
673 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
674 "");
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
675 ngx_conf_merge_str_value(conf->trusted_certificate,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
676 prev->trusted_certificate, "");
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
677 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
678
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
679 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
680 NGX_DEFAULT_ECDH_CURVE);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
681
2124
e0b424b98f24 fix typo
Igor Sysoev <igor@sysoev.ru>
parents: 2123
diff changeset
682 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
683
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
684 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
685
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
686 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
687 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
688 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
689 prev->ocsp_cache_zone, NULL);
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
690
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
691 ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
4879
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
692 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
693 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
694 ngx_conf_merge_str_value(conf->stapling_responder,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
695 prev->stapling_responder, "");
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
696
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
697 conf->ssl.log = cf->log;
386
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
698
9120
0aaa09927703 SSL: removed the "ssl" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9119
diff changeset
699 if (conf->certificates) {
2224
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
700
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
701 if (conf->certificate_keys == NULL
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
702 || conf->certificate_keys->nelts < conf->certificates->nelts)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
703 {
2224
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
704 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
705 "no \"ssl_certificate_key\" is defined "
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
706 "for certificate \"%V\"",
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
707 ((ngx_str_t *) conf->certificates->elts)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6489
diff changeset
708 + conf->certificates->nelts - 1);
2224
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
709 return NGX_CONF_ERROR;
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
710 }
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
711
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
712 } else if (!conf->reject_handshake) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
713 return NGX_CONF_OK;
2224
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
714 }
109849282793 *) listen ssl
Igor Sysoev <igor@sysoev.ru>
parents: 2124
diff changeset
715
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
716 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
386
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
717 return NGX_CONF_ERROR;
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
718 }
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
719
7473
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
720 cln = ngx_pool_cleanup_add(cf->pool, 0);
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
721 if (cln == NULL) {
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
722 ngx_ssl_cleanup_ctx(&conf->ssl);
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
723 return NGX_CONF_ERROR;
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
724 }
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
725
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
726 cln->handler = ngx_ssl_cleanup_ctx;
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
727 cln->data = &conf->ssl;
8981dbb12254 SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7466
diff changeset
728
1219
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
729 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
730
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
731 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
732 ngx_http_ssl_servername)
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
733 == 0)
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
734 {
3140
ba9a8ba4207e *) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents: 2996
diff changeset
735 ngx_log_error(NGX_LOG_WARN, cf->log, 0,
3209
b82c623a607e fix typo
Igor Sysoev <igor@sysoev.ru>
parents: 3196
diff changeset
736 "nginx was built with SNI support, however, now it is linked "
3140
ba9a8ba4207e *) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents: 2996
diff changeset
737 "dynamically to an OpenSSL library which has no tlsext support, "
ba9a8ba4207e *) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents: 2996
diff changeset
738 "therefore SNI is not available");
1219
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
739 }
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
740
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
741 #endif
86c5c9288acc SNI support
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
742
5545
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
743 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
744 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
745 #endif
01e2a5bcdd8f SSL: support ALPN (IETF's successor to NPN).
Piotr Sikora <piotr@cloudflare.com>
parents: 5504
diff changeset
746
7904
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
747 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
748 conf->prefer_server_ciphers)
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
749 != NGX_OK)
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
750 {
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
751 return NGX_CONF_ERROR;
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
752 }
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7787
diff changeset
753
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
754 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
386
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
755 return NGX_CONF_ERROR;
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
756 }
fa72605e7089 nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents: 385
diff changeset
757
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
758 if (conf->certificate_values) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
759
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
760 #ifdef SSL_R_CERT_CB_ERROR
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
761
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
762 /* install callback to lookup certificates */
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
763
7466
48c87377aabd SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
764 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
765
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
766 #else
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
767 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
768 "variables in "
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
769 "\"ssl_certificate\" and \"ssl_certificate_key\" "
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
770 "directives are not supported on this platform");
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
771 return NGX_CONF_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
772 #endif
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
773
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
774 } else if (conf->certificates) {
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
775
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
776 /* configure certificates */
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
777
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
778 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
779 conf->certificate_keys, conf->passwords)
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
780 != NGX_OK)
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
781 {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
782 return NGX_CONF_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
783 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
784 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
785
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
786 conf->ssl.buffer_size = conf->buffer_size;
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
787
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
788 if (conf->verify) {
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
789
4884
e406c997470a SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents: 4879
diff changeset
790 if (conf->client_certificate.len == 0 && conf->verify != 3) {
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
791 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7567
ef7ee19776db SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7473
diff changeset
792 "no ssl_client_certificate for ssl_verify_client");
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
793 return NGX_CONF_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
794 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
795
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
796 if (ngx_ssl_client_certificate(cf, &conf->ssl,
970
35f98a8e275f style fix
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
797 &conf->client_certificate,
35f98a8e275f style fix
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
798 conf->verify_depth)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
799 != NGX_OK)
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
800 {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 669
diff changeset
801 return NGX_CONF_ERROR;
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
802 }
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
803 }
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
804
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
805 if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
806 &conf->trusted_certificate,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
807 conf->verify_depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
808 != NGX_OK)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
809 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
810 return NGX_CONF_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
811 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
812
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
813 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4412
diff changeset
814 return NGX_CONF_ERROR;
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
815 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 637
diff changeset
816
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
817 if (conf->ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
818
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
819 if (conf->verify == 3) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
820 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
821 "\"ssl_ocsp\" is incompatible with "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
822 "\"ssl_verify_client optional_no_ca\"");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
823 return NGX_CONF_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
824 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
825
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
826 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
827 conf->ocsp_cache_zone)
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
828 != NGX_OK)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
829 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
830 return NGX_CONF_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
831 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
832 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
833
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
834 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
835 return NGX_CONF_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
836 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
837
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
838 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
839 return NGX_CONF_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
840 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
841
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
842 ngx_conf_merge_value(conf->builtin_session_cache,
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
843 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
844
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
845 if (conf->shm_zone == NULL) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
846 conf->shm_zone = prev->shm_zone;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
847 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
848
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
849 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
850 conf->certificates, conf->builtin_session_cache,
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
851 conf->shm_zone, conf->session_timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
852 != NGX_OK)
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
853 {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
854 return NGX_CONF_ERROR;
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
855 }
573
58475592100c nginx-0.3.8-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
856
5503
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
857 ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
858
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
859 #ifdef SSL_OP_NO_TICKET
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
860 if (!conf->session_tickets) {
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
861 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
862 }
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
863 #endif
d049b0ea00a3 SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents: 5487
diff changeset
864
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
865 ngx_conf_merge_ptr_value(conf->session_ticket_keys,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
866 prev->session_ticket_keys, NULL);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
867
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
868 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
869 != NGX_OK)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
870 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
871 return NGX_CONF_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
872 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5387
diff changeset
873
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
874 if (conf->stapling) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
875
4879
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
876 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
877 &conf->stapling_responder, conf->stapling_verify)
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
878 != NGX_OK)
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
879 {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
880 return NGX_CONF_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
881 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
882
4873
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
883 }
dd74fd35ceb5 OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
884
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
885 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
886 return NGX_CONF_ERROR;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
887 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7270
diff changeset
888
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
889 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
890 return NGX_CONF_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
891 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
892
383
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
893 return NGX_CONF_OK;
c05876036128 nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
894 }
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
895
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
896
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
897 static ngx_int_t
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
898 ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
899 ngx_http_ssl_srv_conf_t *conf)
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
900 {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
901 ngx_str_t *cert, *key;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
902 ngx_uint_t i, nelts;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
903 ngx_http_complex_value_t *cv;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
904 ngx_http_compile_complex_value_t ccv;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
905
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
906 if (conf->certificates == NULL) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
907 return NGX_OK;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
908 }
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
909
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
910 cert = conf->certificates->elts;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
911 key = conf->certificate_keys->elts;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
912 nelts = conf->certificates->nelts;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
913
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
914 for (i = 0; i < nelts; i++) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
915
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
916 if (ngx_http_script_variables_count(&cert[i])) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
917 goto found;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
918 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
919
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
920 if (ngx_http_script_variables_count(&key[i])) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
921 goto found;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
922 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
923 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
924
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
925 return NGX_OK;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
926
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
927 found:
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
928
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
929 conf->certificate_values = ngx_array_create(cf->pool, nelts,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
930 sizeof(ngx_http_complex_value_t));
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
931 if (conf->certificate_values == NULL) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
932 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
933 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
934
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
935 conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
936 sizeof(ngx_http_complex_value_t));
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
937 if (conf->certificate_key_values == NULL) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
938 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
939 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
940
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
941 for (i = 0; i < nelts; i++) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
942
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
943 cv = ngx_array_push(conf->certificate_values);
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
944 if (cv == NULL) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
945 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
946 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
947
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
948 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
949
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
950 ccv.cf = cf;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
951 ccv.value = &cert[i];
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
952 ccv.complex_value = cv;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
953 ccv.zero = 1;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
954
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
955 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
956 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
957 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
958
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
959 cv = ngx_array_push(conf->certificate_key_values);
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
960 if (cv == NULL) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
961 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
962 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
963
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
964 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
965
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
966 ccv.cf = cf;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
967 ccv.value = &key[i];
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
968 ccv.complex_value = cv;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
969 ccv.zero = 1;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
970
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
971 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
972 return NGX_ERROR;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
973 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
974 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
975
7463
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7462
diff changeset
976 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7462
diff changeset
977 if (conf->passwords == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7462
diff changeset
978 return NGX_ERROR;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7462
diff changeset
979 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7462
diff changeset
980
7462
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
981 return NGX_OK;
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
982 }
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
983
be2af41d3620 SSL: variables support in ssl_certificate and ssl_certificate_key.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
984
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
985 static char *
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
986 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
987 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
988 ngx_http_ssl_srv_conf_t *sscf = conf;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
989
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
990 ngx_str_t *value;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
991
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
992 if (sscf->passwords != NGX_CONF_UNSET_PTR) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
993 return "is duplicate";
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
994 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
995
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
996 value = cf->args->elts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
997
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
998 sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
999
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1000 if (sscf->passwords == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1001 return NGX_CONF_ERROR;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1002 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1003
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1004 return NGX_CONF_OK;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1005 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1006
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1007
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1008 static char *
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1009 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1010 {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1011 ngx_http_ssl_srv_conf_t *sscf = conf;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1012
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1013 size_t len;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1014 ngx_str_t *value, name, size;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1015 ngx_int_t n;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1016 ngx_uint_t i, j;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1017
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1018 value = cf->args->elts;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1019
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1020 for (i = 1; i < cf->args->nelts; i++) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1021
1778
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1565
diff changeset
1022 if (ngx_strcmp(value[i].data, "off") == 0) {
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1565
diff changeset
1023 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1565
diff changeset
1024 continue;
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1565
diff changeset
1025 }
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1565
diff changeset
1026
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1027 if (ngx_strcmp(value[i].data, "none") == 0) {
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1028 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1029 continue;
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1030 }
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1031
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1032 if (ngx_strcmp(value[i].data, "builtin") == 0) {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
1033 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1034 continue;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1035 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1036
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1037 if (value[i].len > sizeof("builtin:") - 1
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1038 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1039 == 0)
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1040 {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1041 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1042 value[i].len - (sizeof("builtin:") - 1));
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1043
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1044 if (n == NGX_ERROR) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1045 goto invalid;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1046 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1047
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1048 sscf->builtin_session_cache = n;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1049
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1050 continue;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1051 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1052
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1053 if (value[i].len > sizeof("shared:") - 1
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1054 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1055 == 0)
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1056 {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1057 len = 0;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1058
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1059 for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1060 if (value[i].data[j] == ':') {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1061 break;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1062 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1063
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1064 len++;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1065 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1066
8088
e32b48848add SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7973
diff changeset
1067 if (len == 0 || j == value[i].len) {
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1068 goto invalid;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1069 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1070
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1071 name.len = len;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1072 name.data = value[i].data + sizeof("shared:") - 1;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1073
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1074 size.len = value[i].len - j - 1;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1075 size.data = name.data + len + 1;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1076
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1077 n = ngx_parse_size(&size);
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1078
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1079 if (n == NGX_ERROR) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1080 goto invalid;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1081 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1082
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1083 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1084 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
1085 "session cache \"%V\" is too small",
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1086 &value[i]);
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1087
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1088 return NGX_CONF_ERROR;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1089 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1090
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1091 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1092 &ngx_http_ssl_module);
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1093 if (sscf->shm_zone == NULL) {
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1094 return NGX_CONF_ERROR;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1095 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1096
4153
7de74ed694c8 Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1097 sscf->shm_zone->init = ngx_ssl_session_cache_init;
7de74ed694c8 Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1098
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1099 continue;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1100 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1101
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1102 goto invalid;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1103 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1104
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1105 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 973
diff changeset
1106 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
973
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1107 }
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1108
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1109 return NGX_CONF_OK;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1110
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1111 invalid:
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1112
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1113 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1114 "invalid session cache \"%V\"", &value[i]);
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1115
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1116 return NGX_CONF_ERROR;
e1ede83911ef ssl_session_cache
Igor Sysoev <igor@sysoev.ru>
parents: 971
diff changeset
1117 }
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1118
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1119
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1120 static char *
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1121 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1122 {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1123 ngx_http_ssl_srv_conf_t *sscf = conf;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1124
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1125 size_t len;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1126 ngx_int_t n;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1127 ngx_str_t *value, name, size;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1128 ngx_uint_t j;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1129
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1130 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1131 return "is duplicate";
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1132 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1133
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1134 value = cf->args->elts;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1135
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1136 if (ngx_strcmp(value[1].data, "off") == 0) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1137 sscf->ocsp_cache_zone = NULL;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1138 return NGX_CONF_OK;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1139 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1140
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1141 if (value[1].len <= sizeof("shared:") - 1
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1142 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0)
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1143 {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1144 goto invalid;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1145 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1146
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1147 len = 0;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1148
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1149 for (j = sizeof("shared:") - 1; j < value[1].len; j++) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1150 if (value[1].data[j] == ':') {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1151 break;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1152 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1153
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1154 len++;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1155 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1156
8088
e32b48848add SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7973
diff changeset
1157 if (len == 0 || j == value[1].len) {
7654
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1158 goto invalid;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1159 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1160
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1161 name.len = len;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1162 name.data = value[1].data + sizeof("shared:") - 1;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1163
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1164 size.len = value[1].len - j - 1;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1165 size.data = name.data + len + 1;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1166
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1167 n = ngx_parse_size(&size);
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1168
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1169 if (n == NGX_ERROR) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1170 goto invalid;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1171 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1172
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1173 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1174 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1175 "OCSP cache \"%V\" is too small", &value[1]);
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1176
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1177 return NGX_CONF_ERROR;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1178 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1179
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1180 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1181 &ngx_http_ssl_module_ctx);
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1182 if (sscf->ocsp_cache_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1183 return NGX_CONF_ERROR;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1184 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1185
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1186 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1187
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1188 return NGX_CONF_OK;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1189
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1190 invalid:
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1191
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1192 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1193 "invalid OCSP cache \"%V\"", &value[1]);
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1194
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1195 return NGX_CONF_ERROR;
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1196 }
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1197
b56f725dd4bb OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents: 7653
diff changeset
1198
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1199 static char *
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1200 ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1201 {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1202 #ifndef SSL_CONF_FLAG_FILE
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1203 return "is not supported on this platform";
7787
7ce28b4cc57e SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7732
diff changeset
1204 #else
7ce28b4cc57e SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7732
diff changeset
1205 return NGX_CONF_OK;
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1206 #endif
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1207 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1208
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7654
diff changeset
1209
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1210 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1211 ngx_http_ssl_init(ngx_conf_t *cf)
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1212 {
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1213 ngx_uint_t a, p, s;
8481
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1214 const char *name;
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1215 ngx_http_conf_addr_t *addr;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1216 ngx_http_conf_port_t *port;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1217 ngx_http_ssl_srv_conf_t *sscf;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1218 ngx_http_core_loc_conf_t *clcf;
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1219 ngx_http_core_srv_conf_t **cscfp, *cscf;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1220 ngx_http_core_main_conf_t *cmcf;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1221
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1222 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1223 cscfp = cmcf->servers.elts;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1224
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1225 for (s = 0; s < cmcf->servers.nelts; s++) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1226
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1227 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1228
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1229 if (sscf->ssl.ctx == NULL) {
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1230 continue;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1231 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1232
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1233 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1234
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1235 if (sscf->stapling) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1236 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1237 clcf->resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1238 != NGX_OK)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1239 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1240 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1241 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1242 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1243
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1244 if (sscf->ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1245 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver,
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1246 clcf->resolver_timeout)
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1247 != NGX_OK)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1248 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1249 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7567
diff changeset
1250 }
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1251 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1252 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1253
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1254 if (cmcf->ports == NULL) {
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1255 return NGX_OK;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1256 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1257
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1258 port = cmcf->ports->elts;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1259 for (p = 0; p < cmcf->ports->nelts; p++) {
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1260
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1261 addr = port[p].addrs.elts;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1262 for (a = 0; a < port[p].addrs.nelts; a++) {
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1263
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
1264 if (!addr[a].opt.ssl && !addr[a].opt.quic) {
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1265 continue;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1266 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1267
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
1268 if (addr[a].opt.quic) {
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
1269 name = "quic";
8481
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1270
9080
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
1271 #if (NGX_QUIC_OPENSSL_COMPAT)
9083
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1272 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) {
9080
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
1273 return NGX_ERROR;
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
1274 }
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
1275 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents: 9035
diff changeset
1276
8481
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1277 } else {
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1278 name = "ssl";
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1279 }
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1280
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1281 cscf = addr[a].default_server;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1282 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1283
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1284 if (sscf->certificates) {
8869
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1285
9081
c851a2ed5ce8 HTTP/3: "quic" parameter of "listen" directive.
Roman Arutyunyan <arut@nginx.com>
parents: 9080
diff changeset
1286 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) {
8869
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1287 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1288 "\"ssl_protocols\" must enable TLSv1.3 for "
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1289 "the \"listen ... %s\" directive in %s:%ui",
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1290 name, cscf->file_name, cscf->line);
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1291 return NGX_ERROR;
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1292 }
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1293
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1294 continue;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1295 }
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1296
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1297 if (!sscf->reject_handshake) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1298 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1299 "no \"ssl_certificate\" is defined for "
8869
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1300 "the \"listen ... %s\" directive in %s:%ui",
e5a17d6041bd Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8839
diff changeset
1301 name, cscf->file_name, cscf->line);
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1302 return NGX_ERROR;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1303 }
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1304
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1305 /*
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1306 * if no certificates are defined in the default server,
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1307 * check all non-default server blocks
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1308 */
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1309
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1310 cscfp = addr[a].servers.elts;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1311 for (s = 0; s < addr[a].servers.nelts; s++) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1312
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1313 cscf = cscfp[s];
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1314 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1315
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1316 if (sscf->certificates || sscf->reject_handshake) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1317 continue;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1318 }
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1319
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1320 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1321 "no \"ssl_certificate\" is defined for "
8481
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1322 "the \"listen ... %s\" directive in %s:%ui",
0d2b2664b41c QUIC: added "quic" listen parameter.
Roman Arutyunyan <arut@nginx.com>
parents: 8411
diff changeset
1323 name, cscf->file_name, cscf->line);
7269
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1324 return NGX_ERROR;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1325 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1326 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1327 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
1328
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1329 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4873
diff changeset
1330 }
9083
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1331
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1332
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1333 #if (NGX_QUIC_OPENSSL_COMPAT)
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1334
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1335 static ngx_int_t
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1336 ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr)
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1337 {
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1338 ngx_uint_t s;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1339 ngx_http_ssl_srv_conf_t *sscf;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1340 ngx_http_core_srv_conf_t **cscfp, *cscf;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1341
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1342 cscfp = addr->servers.elts;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1343 for (s = 0; s < addr->servers.nelts; s++) {
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1344
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1345 cscf = cscfp[s];
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1346 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1347
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1348 if (sscf->certificates || sscf->reject_handshake) {
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1349 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) {
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1350 return NGX_ERROR;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1351 }
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1352 }
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1353 }
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1354
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1355 return NGX_OK;
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1356 }
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1357
5fd628b89bb7 HTTP/3: fixed OpenSSL compatibility layer initialization.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9081
diff changeset
1358 #endif