Mercurial > hg > nginx
annotate src/mail/ngx_mail_ssl_module.c @ 9263:388a801e9bb9 default tip
Request body: discarded body now treated as no body.
Notably, proxying of such requests now uses no Content-Length instead
of "Content-Length: 0", and the $content_length variable is empty (instead
of "0").
This might be beneficial from correctness point of view, since requests
with discarded body, such as during processing of error pages, do not pretend
there is a zero-length body, but instead do not contain body at all. For
example, this might be important for PUT requests, where a zero-length
body could be incorrectly interpreted as a real request body.
This also slightly simplifies the code.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 27 Apr 2024 18:23:52 +0300 |
parents | 0aaa09927703 |
children |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
539 | 15 |
16 | |
7938
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
17 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
18 static int ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
19 const unsigned char **out, unsigned char *outlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
20 const unsigned char *in, unsigned int inlen, void *arg); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
21 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
22 |
1136 | 23 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
24 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 25 |
26 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
27 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
28 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
29 void *conf); |
1136 | 30 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 31 void *conf); |
539 | 32 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
33 static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
34 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
35 |
539 | 36 |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
37 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 38 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
39 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
40 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 41 { ngx_null_string, 0 } |
42 }; | |
43 | |
44 | |
45 | |
1136 | 46 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 47 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
48 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
49 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
50 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
51 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6699
diff
changeset
|
52 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 53 { ngx_null_string, 0 } |
54 }; | |
55 | |
56 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
58 { ngx_string("off"), 0 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
59 { ngx_string("on"), 1 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
60 { ngx_string("optional"), 2 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
61 { ngx_string("optional_no_ca"), 3 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
62 { ngx_null_string, 0 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
63 }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
64 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
65 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
66 static ngx_conf_post_t ngx_mail_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
67 { ngx_mail_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
68 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
69 |
1136 | 70 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 71 |
583 | 72 { ngx_string("starttls"), |
1136 | 73 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 74 ngx_mail_ssl_starttls, |
1136 | 75 NGX_MAIL_SRV_CONF_OFFSET, |
76 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
77 ngx_mail_starttls_state }, |
583 | 78 |
539 | 79 { ngx_string("ssl_certificate"), |
1136 | 80 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
81 ngx_conf_set_str_array_slot, |
1136 | 82 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
83 offsetof(ngx_mail_ssl_conf_t, certificates), |
539 | 84 NULL }, |
85 | |
86 { ngx_string("ssl_certificate_key"), | |
1136 | 87 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
88 ngx_conf_set_str_array_slot, |
1136 | 89 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
90 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
539 | 91 NULL }, |
92 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
93 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
95 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
96 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
97 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
98 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
99 |
2044 | 100 { ngx_string("ssl_dhparam"), |
101 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
102 ngx_conf_set_str_slot, | |
103 NGX_MAIL_SRV_CONF_OFFSET, | |
104 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
105 NULL }, | |
106 | |
3960 | 107 { ngx_string("ssl_ecdh_curve"), |
108 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
109 ngx_conf_set_str_slot, | |
110 NGX_MAIL_SRV_CONF_OFFSET, | |
111 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
112 NULL }, | |
113 | |
547 | 114 { ngx_string("ssl_protocols"), |
1136 | 115 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 116 ngx_conf_set_bitmask_slot, |
1136 | 117 NGX_MAIL_SRV_CONF_OFFSET, |
118 offsetof(ngx_mail_ssl_conf_t, protocols), | |
119 &ngx_mail_ssl_protocols }, | |
547 | 120 |
539 | 121 { ngx_string("ssl_ciphers"), |
1136 | 122 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 123 ngx_conf_set_str_slot, |
1136 | 124 NGX_MAIL_SRV_CONF_OFFSET, |
125 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 126 NULL }, |
127 | |
547 | 128 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 129 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 130 ngx_conf_set_flag_slot, |
1136 | 131 NGX_MAIL_SRV_CONF_OFFSET, |
132 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 133 NULL }, |
563 | 134 |
976 | 135 { ngx_string("ssl_session_cache"), |
1136 | 136 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
137 ngx_mail_ssl_session_cache, | |
138 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 139 0, |
140 NULL }, | |
141 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
142 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
144 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
145 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
146 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
147 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
148 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
149 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
151 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
152 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
153 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
154 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
155 |
573 | 156 { ngx_string("ssl_session_timeout"), |
1136 | 157 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 158 ngx_conf_set_sec_slot, |
1136 | 159 NGX_MAIL_SRV_CONF_OFFSET, |
160 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 161 NULL }, |
547 | 162 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
163 { ngx_string("ssl_verify_client"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 ngx_conf_set_enum_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 offsetof(ngx_mail_ssl_conf_t, verify), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 &ngx_mail_ssl_verify }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 { ngx_string("ssl_verify_depth"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 ngx_conf_set_num_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 { ngx_string("ssl_client_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 { ngx_string("ssl_trusted_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 { ngx_string("ssl_crl"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
193 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
194 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
195 offsetof(ngx_mail_ssl_conf_t, crl), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
196 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
197 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
198 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
199 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
200 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
201 NGX_MAIL_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
202 offsetof(ngx_mail_ssl_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
203 &ngx_mail_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
204 |
539 | 205 ngx_null_command |
206 }; | |
207 | |
208 | |
1136 | 209 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
210 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
211 |
539 | 212 NULL, /* create main configuration */ |
213 NULL, /* init main configuration */ | |
214 | |
1136 | 215 ngx_mail_ssl_create_conf, /* create server configuration */ |
216 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 217 }; |
218 | |
219 | |
1136 | 220 ngx_module_t ngx_mail_ssl_module = { |
539 | 221 NGX_MODULE_V1, |
1136 | 222 &ngx_mail_ssl_module_ctx, /* module context */ |
223 ngx_mail_ssl_commands, /* module directives */ | |
224 NGX_MAIL_MODULE, /* module type */ | |
541 | 225 NULL, /* init master */ |
539 | 226 NULL, /* init module */ |
541 | 227 NULL, /* init process */ |
228 NULL, /* init thread */ | |
229 NULL, /* exit thread */ | |
230 NULL, /* exit process */ | |
231 NULL, /* exit master */ | |
232 NGX_MODULE_V1_PADDING | |
539 | 233 }; |
234 | |
235 | |
1136 | 236 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 237 |
238 | |
7938
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
239 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
240 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
241 static int |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
242 ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
243 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
244 void *arg) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
245 { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
246 unsigned int srvlen; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
247 unsigned char *srv; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
248 ngx_connection_t *c; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
249 ngx_mail_session_t *s; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
250 ngx_mail_core_srv_conf_t *cscf; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
251 #if (NGX_DEBUG) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
252 unsigned int i; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
253 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
254 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
255 c = ngx_ssl_get_connection(ssl_conn); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
256 s = c->data; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
257 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
258 #if (NGX_DEBUG) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
259 for (i = 0; i < inlen; i += in[i] + 1) { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
260 ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
261 "SSL ALPN supported by client: %*s", |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
262 (size_t) in[i], &in[i + 1]); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
263 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
264 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
265 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
266 cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
267 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
268 srv = cscf->protocol->alpn.data; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
269 srvlen = cscf->protocol->alpn.len; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
270 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
271 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
272 in, inlen) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
273 != OPENSSL_NPN_NEGOTIATED) |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
274 { |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
275 return SSL_TLSEXT_ERR_ALERT_FATAL; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
276 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
277 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
278 ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
279 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
280 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
281 return SSL_TLSEXT_ERR_OK; |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
282 } |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
283 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
284 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
285 |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
286 |
539 | 287 static void * |
1136 | 288 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 289 { |
1136 | 290 ngx_mail_ssl_conf_t *scf; |
577 | 291 |
1136 | 292 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 293 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
294 return NULL; |
539 | 295 } |
296 | |
297 /* | |
577 | 298 * set by ngx_pcalloc(): |
539 | 299 * |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
300 * scf->listen = 0; |
547 | 301 * scf->protocols = 0; |
2044 | 302 * scf->dhparam = { 0, NULL }; |
3960 | 303 * scf->ecdh_curve = { 0, NULL }; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
304 * scf->client_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
305 * scf->trusted_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
306 * scf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
307 * scf->ciphers = { 0, NULL }; |
976 | 308 * scf->shm_zone = NULL; |
539 | 309 */ |
310 | |
2759 | 311 scf->starttls = NGX_CONF_UNSET_UINT; |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
312 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
313 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
314 scf->passwords = NGX_CONF_UNSET_PTR; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
315 scf->conf_commands = NGX_CONF_UNSET_PTR; |
976 | 316 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
317 scf->verify = NGX_CONF_UNSET_UINT; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
318 scf->verify_depth = NGX_CONF_UNSET_UINT; |
976 | 319 scf->builtin_session_cache = NGX_CONF_UNSET; |
573 | 320 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
321 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
322 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 323 |
324 return scf; | |
325 } | |
326 | |
327 | |
328 static char * | |
1136 | 329 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 330 { |
1136 | 331 ngx_mail_ssl_conf_t *prev = parent; |
332 ngx_mail_ssl_conf_t *conf = child; | |
539 | 333 |
2224 | 334 char *mode; |
563 | 335 ngx_pool_cleanup_t *cln; |
336 | |
2224 | 337 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
338 NGX_MAIL_STARTTLS_OFF); | |
539 | 339 |
573 | 340 ngx_conf_merge_value(conf->session_timeout, |
341 prev->session_timeout, 300); | |
342 | |
547 | 343 ngx_conf_merge_value(conf->prefer_server_ciphers, |
344 prev->prefer_server_ciphers, 0); | |
345 | |
346 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
8152
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
347 (NGX_CONF_BITMASK_SET |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
348 |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1 |
d1cf09451ae8
SSL: enabled TLSv1.3 by default.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8088
diff
changeset
|
349 |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)); |
547 | 350 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
351 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
352 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
353 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
354 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
355 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
356 NULL); |
539 | 357 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
358 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
359 |
2044 | 360 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
361 | |
3960 | 362 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
363 NGX_DEFAULT_ECDH_CURVE); | |
364 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
365 ngx_conf_merge_str_value(conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
366 prev->client_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
367 ngx_conf_merge_str_value(conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
368 prev->trusted_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
369 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
370 |
2124 | 371 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 372 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
373 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
374 |
539 | 375 |
547 | 376 conf->ssl.log = cf->log; |
539 | 377 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
378 if (conf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
379 mode = "listen ... ssl"; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
380 |
2224 | 381 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { |
6474 | 382 mode = "starttls"; |
2224 | 383 |
384 } else { | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
385 return NGX_CONF_OK; |
2224 | 386 } |
387 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
388 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
389 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
390 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
391 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
392 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
393 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
394 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
395 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
396 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
397 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
398 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
399 } |
2224 | 400 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
401 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
402 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
403 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
404 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
405 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
406 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
407 } |
2224 | 408 |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
409 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
410 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
411 "no \"ssl_certificate_key\" is defined " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
412 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
413 "the \"%s\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
414 ((ngx_str_t *) conf->certificates->elts) |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
415 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
416 mode, conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
417 return NGX_CONF_ERROR; |
2224 | 418 } |
419 | |
969 | 420 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 421 return NGX_CONF_ERROR; |
422 } | |
423 | |
563 | 424 cln = ngx_pool_cleanup_add(cf->pool, 0); |
425 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
426 ngx_ssl_cleanup_ctx(&conf->ssl); |
539 | 427 return NGX_CONF_ERROR; |
428 } | |
429 | |
563 | 430 cln->handler = ngx_ssl_cleanup_ctx; |
431 cln->data = &conf->ssl; | |
432 | |
7938
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
433 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
434 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL); |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
435 #endif |
dc955d274130
Mail: connections with wrong ALPN protocols are now rejected.
Vladimir Homutov <vl@nginx.com>
parents:
7904
diff
changeset
|
436 |
7904
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
437 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
438 conf->prefer_server_ciphers) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
439 != NGX_OK) |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
440 { |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
441 return NGX_CONF_ERROR; |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
442 } |
419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7787
diff
changeset
|
443 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
444 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
445 conf->certificate_keys, conf->passwords) |
563 | 446 != NGX_OK) |
547 | 447 { |
448 return NGX_CONF_ERROR; | |
449 } | |
539 | 450 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
451 if (conf->verify) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
452 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
453 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
454 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
455 "no ssl_client_certificate for ssl_verify_client"); |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
456 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
457 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
458 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
459 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
460 &conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
461 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
462 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
463 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
464 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
465 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
466 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
467 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
468 &conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
469 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
470 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
471 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
472 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
473 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
474 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
475 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
476 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
477 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
478 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
479 |
2044 | 480 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
481 return NGX_CONF_ERROR; | |
482 } | |
483 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
484 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
485 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
486 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
487 |
976 | 488 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 489 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 490 |
491 if (conf->shm_zone == NULL) { | |
492 conf->shm_zone = prev->shm_zone; | |
493 } | |
539 | 494 |
1136 | 495 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7270
diff
changeset
|
496 conf->certificates, conf->builtin_session_cache, |
976 | 497 conf->shm_zone, conf->session_timeout) |
498 != NGX_OK) | |
499 { | |
500 return NGX_CONF_ERROR; | |
501 } | |
573 | 502 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
503 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
504 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
505 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
506 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
507 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
508 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
509 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
510 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
511 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
512 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
513 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
514 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
515 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
516 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
517 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
518 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
519 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
520 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
521 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
522 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
523 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
524 |
539 | 525 return NGX_CONF_OK; |
526 } | |
563 | 527 |
577 | 528 |
976 | 529 static char * |
2224 | 530 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
531 { | |
532 ngx_mail_ssl_conf_t *scf = conf; | |
533 | |
534 char *rv; | |
535 | |
536 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
537 | |
538 if (rv != NGX_CONF_OK) { | |
539 return rv; | |
540 } | |
541 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
542 if (!scf->listen) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
543 scf->file = cf->conf_file->file.name.data; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
544 scf->line = cf->conf_file->line; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7268
diff
changeset
|
545 } |
2224 | 546 |
547 return NGX_CONF_OK; | |
548 } | |
549 | |
550 | |
551 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
552 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
553 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
554 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
555 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
556 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
557 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
558 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
559 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
560 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
561 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
562 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
563 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
564 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
565 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
566 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
567 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
568 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
569 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
570 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
571 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
572 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
573 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
574 static char * |
1136 | 575 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 576 { |
1136 | 577 ngx_mail_ssl_conf_t *scf = conf; |
976 | 578 |
579 size_t len; | |
580 ngx_str_t *value, name, size; | |
581 ngx_int_t n; | |
582 ngx_uint_t i, j; | |
583 | |
584 value = cf->args->elts; | |
585 | |
586 for (i = 1; i < cf->args->nelts; i++) { | |
587 | |
1778 | 588 if (ngx_strcmp(value[i].data, "off") == 0) { |
589 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
590 continue; | |
591 } | |
592 | |
2032 | 593 if (ngx_strcmp(value[i].data, "none") == 0) { |
594 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
595 continue; | |
596 } | |
597 | |
976 | 598 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
599 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
600 continue; | |
601 } | |
602 | |
603 if (value[i].len > sizeof("builtin:") - 1 | |
604 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
605 == 0) | |
606 { | |
607 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
608 value[i].len - (sizeof("builtin:") - 1)); | |
609 | |
610 if (n == NGX_ERROR) { | |
611 goto invalid; | |
612 } | |
613 | |
614 scf->builtin_session_cache = n; | |
615 | |
616 continue; | |
617 } | |
618 | |
619 if (value[i].len > sizeof("shared:") - 1 | |
620 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
621 == 0) | |
622 { | |
623 len = 0; | |
624 | |
625 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
626 if (value[i].data[j] == ':') { | |
627 break; | |
628 } | |
629 | |
630 len++; | |
631 } | |
632 | |
8088
e32b48848add
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7938
diff
changeset
|
633 if (len == 0 || j == value[i].len) { |
976 | 634 goto invalid; |
635 } | |
636 | |
637 name.len = len; | |
638 name.data = value[i].data + sizeof("shared:") - 1; | |
639 | |
640 size.len = value[i].len - j - 1; | |
641 size.data = name.data + len + 1; | |
642 | |
643 n = ngx_parse_size(&size); | |
644 | |
645 if (n == NGX_ERROR) { | |
646 goto invalid; | |
647 } | |
648 | |
649 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
650 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
651 "session cache \"%V\" is too small", | |
652 &value[i]); | |
653 | |
654 return NGX_CONF_ERROR; | |
655 } | |
656 | |
657 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 658 &ngx_mail_ssl_module); |
976 | 659 if (scf->shm_zone == NULL) { |
660 return NGX_CONF_ERROR; | |
661 } | |
662 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
663 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
664 |
976 | 665 continue; |
666 } | |
667 | |
668 goto invalid; | |
669 } | |
670 | |
671 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
672 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
673 } | |
674 | |
675 return NGX_CONF_OK; | |
676 | |
677 invalid: | |
678 | |
679 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
680 "invalid session cache \"%V\"", &value[i]); | |
681 | |
682 return NGX_CONF_ERROR; | |
683 } | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
684 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
685 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
686 static char * |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
687 ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
688 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
689 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
690 return "is not supported on this platform"; |
7787
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
691 #else |
7ce28b4cc57e
SSL: fixed build by Sun C with old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
692 return NGX_CONF_OK; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
693 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
694 } |