nginx: src/stream/ngx_stream_ssl

annotate src/stream/ngx_stream_ssl_module.c @ 9274:46ecad404a29 default tip

Mail: reset imap tag to empty after authentication attempt. We need to reset the imap tag to empty after an authentication attempt completes, otherwise if the next line parsed is incomplete with no tag (e.g. empty line) then we use the "tag" from the previous buffer which is now definitely wrong and has been partially overwritten with the most recently read data (e.g. CRLF). An example before this patch: S: * OK IMAP4 ready C: foobar login a b S: foobar NO Incorrect username or password. C: S: S: obar BAD invalid command Then with this patch: S: * OK IMAP4 ready C: foobar login a b S: foobar NO Incorrect username or password. C: S: * BAD invalid command

author	Rob Mueller <robm@fastmailteam.com>
date	Wed, 15 May 2024 10:06:00 +0300
parents	113e2438dbd4
children

rev	line source
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	2 /*
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	3 * Copyright (C) Igor Sysoev
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	5 */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	6
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	7
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	8 #include <ngx_config.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	9 #include <ngx_core.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	10 #include <ngx_stream.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	11
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	12
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	13 typedef ngx_int_t (ngx_ssl_variable_handler_pt)(ngx_connection_t c,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	14 ngx_pool_t pool, ngx_str_t s);
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	15
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	16
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6550 diff changeset	18 #define NGX_DEFAULT_ECDH_CURVE "auto"
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	19
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	20
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl,
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	23 ngx_connection_t *c);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c);
7471 7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
7940 46a02ed7c966 Style: added missing "static" specifiers. Maxim Dounin <mdounin@mdounin.ru> parents: 7936 diff changeset	26 static int ngx_stream_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad,
46a02ed7c966 Style: added missing "static" specifiers. Maxim Dounin <mdounin@mdounin.ru> parents: 7936 diff changeset	27 void *arg);
7471 7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	28 #endif
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	29 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	30 static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	31 const unsigned char *out, unsigned char outlen,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	32 const unsigned char in, unsigned int inlen, void arg);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	33 #endif
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	34 #ifdef SSL_R_CERT_CB_ERROR
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	35 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t ssl_conn, void arg);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	36 #endif
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	37 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	38 ngx_stream_variable_value_t *v, uintptr_t data);
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	39 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	40 ngx_stream_variable_value_t *v, uintptr_t data);
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	41
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	42 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf);
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	43 static void ngx_stream_ssl_create_conf(ngx_conf_t cf);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	44 static char ngx_stream_ssl_merge_conf(ngx_conf_t cf, void *parent,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	45 void *child);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	46
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	47 static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	48 ngx_stream_ssl_conf_t *conf);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	49
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	50 static char ngx_stream_ssl_password_file(ngx_conf_t cf, ngx_command_t *cmd,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	51 void *conf);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	52 static char ngx_stream_ssl_session_cache(ngx_conf_t cf, ngx_command_t *cmd,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	53 void *conf);
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	54 static char ngx_stream_ssl_alpn(ngx_conf_t cf, ngx_command_t *cmd,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	55 void *conf);
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	56
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	57 static char ngx_stream_ssl_conf_command_check(ngx_conf_t cf, void *post,
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	58 void *data);
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	59
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	60 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	61
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	62
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	63 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	64 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	65 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	66 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	67 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	68 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
6981 08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6871 diff changeset	69 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	70 { ngx_null_string, 0 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	71 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	72
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	73
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	74 static ngx_conf_enum_t ngx_stream_ssl_verify[] = {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	75 { ngx_string("off"), 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	76 { ngx_string("on"), 1 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	77 { ngx_string("optional"), 2 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	78 { ngx_string("optional_no_ca"), 3 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	79 { ngx_null_string, 0 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	80 };
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	81
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	82
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	83 static ngx_conf_post_t ngx_stream_ssl_conf_command_post =
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	84 { ngx_stream_ssl_conf_command_check };
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	85
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	86
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	87 static ngx_command_t ngx_stream_ssl_commands[] = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	88
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	89 { ngx_string("ssl_handshake_timeout"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	90 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	91 ngx_conf_set_msec_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	92 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	93 offsetof(ngx_stream_ssl_conf_t, handshake_timeout),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	94 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	95
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	96 { ngx_string("ssl_certificate"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	97 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	98 ngx_conf_set_str_array_slot,
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	99 NGX_STREAM_SRV_CONF_OFFSET,
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	100 offsetof(ngx_stream_ssl_conf_t, certificates),
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	101 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	102
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	103 { ngx_string("ssl_certificate_key"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	104 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	105 ngx_conf_set_str_array_slot,
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	106 NGX_STREAM_SRV_CONF_OFFSET,
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	107 offsetof(ngx_stream_ssl_conf_t, certificate_keys),
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	108 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	109
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	110 { ngx_string("ssl_password_file"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	111 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	112 ngx_stream_ssl_password_file,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	113 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	114 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	115 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	116
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	117 { ngx_string("ssl_dhparam"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	118 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	119 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	120 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	121 offsetof(ngx_stream_ssl_conf_t, dhparam),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	122 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	123
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	124 { ngx_string("ssl_ecdh_curve"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	125 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	126 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	127 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	128 offsetof(ngx_stream_ssl_conf_t, ecdh_curve),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	129 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	130
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	131 { ngx_string("ssl_protocols"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	132 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_1MORE,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	133 ngx_conf_set_bitmask_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	134 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	135 offsetof(ngx_stream_ssl_conf_t, protocols),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	136 &ngx_stream_ssl_protocols },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	137
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	138 { ngx_string("ssl_ciphers"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	139 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	140 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	141 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	142 offsetof(ngx_stream_ssl_conf_t, ciphers),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	143 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	144
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	145 { ngx_string("ssl_verify_client"),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	146 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	147 ngx_conf_set_enum_slot,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	148 NGX_STREAM_SRV_CONF_OFFSET,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	149 offsetof(ngx_stream_ssl_conf_t, verify),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	150 &ngx_stream_ssl_verify },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	151
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	152 { ngx_string("ssl_verify_depth"),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	153 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	154 ngx_conf_set_num_slot,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	155 NGX_STREAM_SRV_CONF_OFFSET,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	156 offsetof(ngx_stream_ssl_conf_t, verify_depth),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	157 NULL },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	158
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	159 { ngx_string("ssl_client_certificate"),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	160 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	161 ngx_conf_set_str_slot,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	162 NGX_STREAM_SRV_CONF_OFFSET,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	163 offsetof(ngx_stream_ssl_conf_t, client_certificate),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	164 NULL },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	165
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	166 { ngx_string("ssl_trusted_certificate"),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	167 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	168 ngx_conf_set_str_slot,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	169 NGX_STREAM_SRV_CONF_OFFSET,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	170 offsetof(ngx_stream_ssl_conf_t, trusted_certificate),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	171 NULL },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	172
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	173 { ngx_string("ssl_prefer_server_ciphers"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	174 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_FLAG,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	175 ngx_conf_set_flag_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	176 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	177 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	178 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	179
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	180 { ngx_string("ssl_session_cache"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	181 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE12,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	182 ngx_stream_ssl_session_cache,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	183 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	184 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	185 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	186
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	187 { ngx_string("ssl_session_tickets"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	188 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_FLAG,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	189 ngx_conf_set_flag_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	190 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	191 offsetof(ngx_stream_ssl_conf_t, session_tickets),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	192 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	193
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	194 { ngx_string("ssl_session_ticket_key"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	195 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	196 ngx_conf_set_str_array_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	197 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	198 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	199 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	200
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	201 { ngx_string("ssl_session_timeout"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	202 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	203 ngx_conf_set_sec_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	204 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	205 offsetof(ngx_stream_ssl_conf_t, session_timeout),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	206 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	207
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	208 { ngx_string("ssl_crl"),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	209 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	210 ngx_conf_set_str_slot,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	211 NGX_STREAM_SRV_CONF_OFFSET,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	212 offsetof(ngx_stream_ssl_conf_t, crl),
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	213 NULL },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	214
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	215 { ngx_string("ssl_conf_command"),
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	216 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE2,
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	217 ngx_conf_set_keyval_slot,
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	218 NGX_STREAM_SRV_CONF_OFFSET,
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	219 offsetof(ngx_stream_ssl_conf_t, conf_commands),
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	220 &ngx_stream_ssl_conf_command_post },
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	221
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	222 { ngx_string("ssl_alpn"),
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	223 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_1MORE,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	224 ngx_stream_ssl_alpn,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	225 NGX_STREAM_SRV_CONF_OFFSET,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	226 0,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	227 NULL },
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	228
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	229 ngx_null_command
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	230 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	231
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	232
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	233 static ngx_stream_module_t ngx_stream_ssl_module_ctx = {
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	234 ngx_stream_ssl_add_variables, /* preconfiguration */
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	235 ngx_stream_ssl_init, /* postconfiguration */
6174 68c106e6fa0a Stream: added postconfiguration method to stream modules. Vladimir Homutov <vl@nginx.com> parents: 6157 diff changeset	236
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	237 NULL, /* create main configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	238 NULL, /* init main configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	239
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	240 ngx_stream_ssl_create_conf, /* create server configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	241 ngx_stream_ssl_merge_conf /* merge server configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	242 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	243
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	244
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	245 ngx_module_t ngx_stream_ssl_module = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	246 NGX_MODULE_V1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	247 &ngx_stream_ssl_module_ctx, /* module context */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	248 ngx_stream_ssl_commands, /* module directives */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	249 NGX_STREAM_MODULE, /* module type */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	250 NULL, /* init master */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	251 NULL, /* init module */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	252 NULL, /* init process */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	253 NULL, /* init thread */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	254 NULL, /* exit thread */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	255 NULL, /* exit process */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	256 NULL, /* exit master */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	257 NGX_MODULE_V1_PADDING
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	258 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	259
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	260
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	261 static ngx_stream_variable_t ngx_stream_ssl_vars[] = {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	262
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	263 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	264 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	265
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	266 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	267 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 },
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	268
6816 ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6693 diff changeset	269 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable,
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6693 diff changeset	270 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 },
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6693 diff changeset	271
7973 3443c02ca1d1 SSL: $ssl_curve (ticket #2135). Sergey Kandaurov <pluknet@nginx.com> parents: 7940 diff changeset	272 { ngx_string("ssl_curve"), NULL, ngx_stream_ssl_variable,
3443c02ca1d1 SSL: $ssl_curve (ticket #2135). Sergey Kandaurov <pluknet@nginx.com> parents: 7940 diff changeset	273 (uintptr_t) ngx_ssl_get_curve, NGX_STREAM_VAR_CHANGEABLE, 0 },
3443c02ca1d1 SSL: $ssl_curve (ticket #2135). Sergey Kandaurov <pluknet@nginx.com> parents: 7940 diff changeset	274
6817 e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	275 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	276 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	277
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	278 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	279 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	280
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	281 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	282 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 },
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	283
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	284 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	285 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 },
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	286
7935 eb6c77e6d55d SSL: added $ssl_alpn_protocol variable. Vladimir Homutov <vl@nginx.com> parents: 7904 diff changeset	287 { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable. Vladimir Homutov <vl@nginx.com> parents: 7904 diff changeset	288 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable. Vladimir Homutov <vl@nginx.com> parents: 7904 diff changeset	289
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	290 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	291 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	292
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	293 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	294 (uintptr_t) ngx_ssl_get_raw_certificate,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	295 NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	296
7091 82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7077 diff changeset	297 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7077 diff changeset	298 (uintptr_t) ngx_ssl_get_escaped_certificate,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7077 diff changeset	299 NGX_STREAM_VAR_CHANGEABLE, 0 },
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7077 diff changeset	300
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	301 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	302 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	303
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	304 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	305 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	306
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	307 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	308 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	309
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	310 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	311 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	312
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	313 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	314 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	315
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	316 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	317 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	318
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	319 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	320 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	321
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	322 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	323 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	324
7077 2a288909abc6 Variables: macros for null variables. Ruslan Ermilov <ru@nginx.com> parents: 7009 diff changeset	325 ngx_stream_null_variable
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	326 };
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	327
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	328
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	329 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	330
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	331
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	332 static ngx_int_t
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	333 ngx_stream_ssl_handler(ngx_stream_session_t *s)
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	334 {
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	335 long rc;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	336 X509 *cert;
6871 1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	337 ngx_int_t rv;
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	338 ngx_connection_t *c;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	339 ngx_stream_ssl_conf_t *sslcf;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	340
6870 0a08a8babf53 Stream: fixed handling of non-ssl sessions. Vladimir Homutov <vl@nginx.com> parents: 6850 diff changeset	341 if (!s->ssl) {
0a08a8babf53 Stream: fixed handling of non-ssl sessions. Vladimir Homutov <vl@nginx.com> parents: 6850 diff changeset	342 return NGX_OK;
0a08a8babf53 Stream: fixed handling of non-ssl sessions. Vladimir Homutov <vl@nginx.com> parents: 6850 diff changeset	343 }
0a08a8babf53 Stream: fixed handling of non-ssl sessions. Vladimir Homutov <vl@nginx.com> parents: 6850 diff changeset	344
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	345 c = s->connection;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	346
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	347 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	348
6870 0a08a8babf53 Stream: fixed handling of non-ssl sessions. Vladimir Homutov <vl@nginx.com> parents: 6850 diff changeset	349 if (c->ssl == NULL) {
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	350 c->log->action = "SSL handshaking";
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	351
6871 1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	352 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c);
1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	353
1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	354 if (rv != NGX_OK) {
1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	355 return rv;
1818acd8442f Stream: client SSL certificates were not checked in some cases. Vladimir Homutov <vl@nginx.com> parents: 6870 diff changeset	356 }
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	357 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	358
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	359 if (sslcf->verify) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	360 rc = SSL_get_verify_result(c->ssl->connection);
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	361
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	362 if (rc != X509_V_OK
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	363 && (sslcf->verify != 3 \|\| !ngx_ssl_verify_error_optional(rc)))
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	364 {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	365 ngx_log_error(NGX_LOG_INFO, c->log, 0,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	366 "client SSL certificate verify error: (%l:%s)",
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	367 rc, X509_verify_cert_error_string(rc));
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	368
7193 9d14931cec8c SSL: using default server context in session remove (closes #1464). Sergey Kandaurov <pluknet@nginx.com> parents: 7091 diff changeset	369 ngx_ssl_remove_cached_session(c->ssl->session_ctx,
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	370 (SSL_get0_session(c->ssl->connection)));
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	371 return NGX_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	372 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	373
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	374 if (sslcf->verify == 1) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	375 cert = SSL_get_peer_certificate(c->ssl->connection);
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	376
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	377 if (cert == NULL) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	378 ngx_log_error(NGX_LOG_INFO, c->log, 0,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	379 "client sent no required SSL certificate");
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	380
7193 9d14931cec8c SSL: using default server context in session remove (closes #1464). Sergey Kandaurov <pluknet@nginx.com> parents: 7091 diff changeset	381 ngx_ssl_remove_cached_session(c->ssl->session_ctx,
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	382 (SSL_get0_session(c->ssl->connection)));
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	383 return NGX_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	384 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	385
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	386 X509_free(cert);
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	387 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	388 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	389
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	390 return NGX_OK;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	391 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	392
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	393
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	394 static ngx_int_t
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	395 ngx_stream_ssl_init_connection(ngx_ssl_t ssl, ngx_connection_t c)
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	396 {
7008 29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	397 ngx_int_t rc;
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	398 ngx_stream_session_t *s;
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	399 ngx_stream_ssl_conf_t *sslcf;
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	400 ngx_stream_core_srv_conf_t *cscf;
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	401
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	402 s = c->data;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	403
7008 29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	404 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	405
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	406 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	407 return NGX_ERROR;
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	408 }
29c6d66b83ba SSL: set TCP_NODELAY on SSL connections before handshake. Maxim Dounin <mdounin@mdounin.ru> parents: 6981 diff changeset	409
7009 03444167a3bb Style: changed checks of ngx_ssl_create_connection() to != NGX_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7008 diff changeset	410 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) {
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	411 return NGX_ERROR;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	412 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	413
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	414 rc = ngx_ssl_handshake(c);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	415
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	416 if (rc == NGX_ERROR) {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	417 return NGX_ERROR;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	418 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	419
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	420 if (rc == NGX_AGAIN) {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	421 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	422
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	423 ngx_add_timer(c->read, sslcf->handshake_timeout);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	424
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	425 c->ssl->handler = ngx_stream_ssl_handshake_handler;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	426
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	427 return NGX_AGAIN;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	428 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	429
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	430 /* rc == NGX_OK */
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	431
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	432 return NGX_OK;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	433 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	434
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	435
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	436 static void
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	437 ngx_stream_ssl_handshake_handler(ngx_connection_t *c)
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	438 {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	439 ngx_stream_session_t *s;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	440
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	441 s = c->data;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	442
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	443 if (!c->ssl->handshaked) {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	444 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	445 return;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	446 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	447
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	448 if (c->read->timer_set) {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	449 ngx_del_timer(c->read);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	450 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	451
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	452 ngx_stream_core_run_phases(s);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	453 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	454
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	455
7471 7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	456 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	457
7940 46a02ed7c966 Style: added missing "static" specifiers. Maxim Dounin <mdounin@mdounin.ru> parents: 7936 diff changeset	458 static int
7471 7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	459 ngx_stream_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	460 {
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	461 return SSL_TLSEXT_ERR_OK;
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	462 }
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	463
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	464 #endif
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	465
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	466
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	467 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	468
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	469 static int
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	470 ngx_stream_ssl_alpn_select(ngx_ssl_conn_t ssl_conn, const unsigned char *out,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	471 unsigned char outlen, const unsigned char in, unsigned int inlen,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	472 void *arg)
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	473 {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	474 ngx_str_t *alpn;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	475 #if (NGX_DEBUG)
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	476 unsigned int i;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	477 ngx_connection_t *c;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	478
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	479 c = ngx_ssl_get_connection(ssl_conn);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	480
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	481 for (i = 0; i < inlen; i += in[i] + 1) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	482 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	483 "SSL ALPN supported by client: %*s",
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	484 (size_t) in[i], &in[i + 1]);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	485 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	486
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	487 #endif
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	488
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	489 alpn = arg;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	490
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	491 if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	492 alpn->len, in, inlen)
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	493 != OPENSSL_NPN_NEGOTIATED)
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	494 {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	495 return SSL_TLSEXT_ERR_ALERT_FATAL;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	496 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	497
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	498 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	499 "SSL ALPN selected: %s", (size_t) outlen, *out);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	500
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	501 return SSL_TLSEXT_ERR_OK;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	502 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	503
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	504 #endif
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	505
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	506
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	507 #ifdef SSL_R_CERT_CB_ERROR
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	508
7940 46a02ed7c966 Style: added missing "static" specifiers. Maxim Dounin <mdounin@mdounin.ru> parents: 7936 diff changeset	509 static int
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	510 ngx_stream_ssl_certificate(ngx_ssl_conn_t ssl_conn, void arg)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	511 {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	512 ngx_str_t cert, key;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	513 ngx_uint_t i, nelts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	514 ngx_connection_t *c;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	515 ngx_stream_session_t *s;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	516 ngx_stream_ssl_conf_t *sslcf;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	517 ngx_stream_complex_value_t certs, keys;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	518
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	519 c = ngx_ssl_get_connection(ssl_conn);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	520
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	521 if (c->ssl->handshaked) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	522 return 0;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	523 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	524
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	525 s = c->data;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	526
7466 48c87377aabd SSL: fixed possible segfault with dynamic certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 7465 diff changeset	527 sslcf = arg;
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	528
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	529 nelts = sslcf->certificate_values->nelts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	530 certs = sslcf->certificate_values->elts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	531 keys = sslcf->certificate_key_values->elts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	532
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	533 for (i = 0; i < nelts; i++) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	534
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	535 if (ngx_stream_complex_value(s, &certs[i], &cert) != NGX_OK) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	536 return 0;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	537 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	538
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	539 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	540 "ssl cert: \"%s\"", cert.data);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	541
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	542 if (ngx_stream_complex_value(s, &keys[i], &key) != NGX_OK) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	543 return 0;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	544 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	545
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	546 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	547 "ssl key: \"%s\"", key.data);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	548
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	549 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	550 sslcf->passwords)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	551 != NGX_OK)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	552 {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	553 return 0;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	554 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	555 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	556
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	557 return 1;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	558 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	559
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	560 #endif
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	561
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	562
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	563 static ngx_int_t
6611 85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	564 ngx_stream_ssl_static_variable(ngx_stream_session_t *s,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	565 ngx_stream_variable_value_t *v, uintptr_t data)
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	566 {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	567 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	568
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	569 size_t len;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	570 ngx_str_t str;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	571
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	572 if (s->connection->ssl) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	573
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	574 (void) handler(s->connection, NULL, &str);
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	575
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	576 v->data = str.data;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	577
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	578 for (len = 0; v->data[len]; len++) { /* void */ }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	579
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	580 v->len = len;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	581 v->valid = 1;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	582 v->no_cacheable = 0;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	583 v->not_found = 0;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	584
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	585 return NGX_OK;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	586 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	587
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	588 v->not_found = 1;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	589
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	590 return NGX_OK;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	591 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	592
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	593
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	594 static ngx_int_t
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	595 ngx_stream_ssl_variable(ngx_stream_session_t *s,
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	596 ngx_stream_variable_value_t *v, uintptr_t data)
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	597 {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	598 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	599
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	600 ngx_str_t str;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	601
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	602 if (s->connection->ssl) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	603
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	604 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	605 return NGX_ERROR;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	606 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	607
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	608 v->len = str.len;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	609 v->data = str.data;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	610
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	611 if (v->len) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	612 v->valid = 1;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	613 v->no_cacheable = 0;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	614 v->not_found = 0;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	615
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	616 return NGX_OK;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	617 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	618 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	619
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	620 v->not_found = 1;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	621
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	622 return NGX_OK;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	623 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	624
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	625
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	626 static ngx_int_t
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	627 ngx_stream_ssl_add_variables(ngx_conf_t *cf)
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	628 {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	629 ngx_stream_variable_t var, v;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	630
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	631 for (v = ngx_stream_ssl_vars; v->name.len; v++) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	632 var = ngx_stream_add_variable(cf, &v->name, v->flags);
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	633 if (var == NULL) {
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	634 return NGX_ERROR;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	635 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	636
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	637 var->get_handler = v->get_handler;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	638 var->data = v->data;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	639 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	640
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	641 return NGX_OK;
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	642 }
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	643
85e7bcb37d6b Stream: SSL-related variables. Vladimir Homutov <vl@nginx.com> parents: 6606 diff changeset	644
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	645 static void *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	646 ngx_stream_ssl_create_conf(ngx_conf_t *cf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	647 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	648 ngx_stream_ssl_conf_t *scf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	649
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	650 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t));
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	651 if (scf == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	652 return NULL;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	653 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	654
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	655 /*
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	656 * set by ngx_pcalloc():
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	657 *
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	658 * scf->listen = 0;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	659 * scf->protocols = 0;
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	660 * scf->certificate_values = NULL;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	661 * scf->dhparam = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	662 * scf->ecdh_curve = { 0, NULL };
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	663 * scf->client_certificate = { 0, NULL };
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	664 * scf->trusted_certificate = { 0, NULL };
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	665 * scf->crl = { 0, NULL };
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	666 * scf->alpn = { 0, NULL };
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	667 * scf->ciphers = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	668 * scf->shm_zone = NULL;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	669 */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	670
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	671 scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	672 scf->certificates = NGX_CONF_UNSET_PTR;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	673 scf->certificate_keys = NGX_CONF_UNSET_PTR;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	674 scf->passwords = NGX_CONF_UNSET_PTR;
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	675 scf->conf_commands = NGX_CONF_UNSET_PTR;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	676 scf->prefer_server_ciphers = NGX_CONF_UNSET;
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	677 scf->verify = NGX_CONF_UNSET_UINT;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	678 scf->verify_depth = NGX_CONF_UNSET_UINT;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	679 scf->builtin_session_cache = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	680 scf->session_timeout = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	681 scf->session_tickets = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	682 scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	683
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	684 return scf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	685 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	686
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	687
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	688 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	689 ngx_stream_ssl_merge_conf(ngx_conf_t cf, void parent, void *child)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	690 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	691 ngx_stream_ssl_conf_t *prev = parent;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	692 ngx_stream_ssl_conf_t *conf = child;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	693
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	694 ngx_pool_cleanup_t *cln;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	695
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	696 ngx_conf_merge_msec_value(conf->handshake_timeout,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	697 prev->handshake_timeout, 60000);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	698
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	699 ngx_conf_merge_value(conf->session_timeout,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	700 prev->session_timeout, 300);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	701
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	702 ngx_conf_merge_value(conf->prefer_server_ciphers,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	703 prev->prefer_server_ciphers, 0);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	704
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	705 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
8152 d1cf09451ae8 SSL: enabled TLSv1.3 by default. Maxim Dounin <mdounin@mdounin.ru> parents: 8088 diff changeset	706 (NGX_CONF_BITMASK_SET
d1cf09451ae8 SSL: enabled TLSv1.3 by default. Maxim Dounin <mdounin@mdounin.ru> parents: 8088 diff changeset	707 \|NGX_SSL_TLSv1\|NGX_SSL_TLSv1_1
d1cf09451ae8 SSL: enabled TLSv1.3 by default. Maxim Dounin <mdounin@mdounin.ru> parents: 8088 diff changeset	708 \|NGX_SSL_TLSv1_2\|NGX_SSL_TLSv1_3));
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	709
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	710 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	711 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	712
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	713 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	714 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	715 NULL);
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	716
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	717 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	718
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	719 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	720
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	721 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	722 "");
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	723 ngx_conf_merge_str_value(conf->trusted_certificate,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	724 prev->trusted_certificate, "");
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	725 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	726 ngx_conf_merge_str_value(conf->alpn, prev->alpn, "");
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	727
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	728 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	729 NGX_DEFAULT_ECDH_CURVE);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	730
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	731 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	732
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	733 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	734
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	735
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	736 conf->ssl.log = cf->log;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	737
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	738 if (!conf->listen) {
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	739 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	740 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	741
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	742 if (conf->certificates == NULL) {
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	743 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	744 "no \"ssl_certificate\" is defined for "
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	745 "the \"listen ... ssl\" directive in %s:%ui",
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	746 conf->file, conf->line);
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	747 return NGX_CONF_ERROR;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	748 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	749
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	750 if (conf->certificate_keys == NULL) {
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	751 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	752 "no \"ssl_certificate_key\" is defined for "
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	753 "the \"listen ... ssl\" directive in %s:%ui",
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	754 conf->file, conf->line);
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	755 return NGX_CONF_ERROR;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	756 }
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	757
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	758 if (conf->certificate_keys->nelts < conf->certificates->nelts) {
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	759 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	760 "no \"ssl_certificate_key\" is defined "
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	761 "for certificate \"%V\" and "
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	762 "the \"listen ... ssl\" directive in %s:%ui",
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6489 diff changeset	763 ((ngx_str_t *) conf->certificates->elts)
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	764 + conf->certificates->nelts - 1,
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 7193 diff changeset	765 conf->file, conf->line);
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	766 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	767 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	768
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	769 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	770 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	771 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	772
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	773 cln = ngx_pool_cleanup_add(cf->pool, 0);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	774 if (cln == NULL) {
7473 8981dbb12254 SSL: fixed potential leak on memory allocation errors. Maxim Dounin <mdounin@mdounin.ru> parents: 7471 diff changeset	775 ngx_ssl_cleanup_ctx(&conf->ssl);
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	776 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	777 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	778
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	779 cln->handler = ngx_ssl_cleanup_ctx;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	780 cln->data = &conf->ssl;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	781
7471 7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	782 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	783 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	784 ngx_stream_ssl_servername);
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	785 #endif
7e8bcba6d039 SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. Maxim Dounin <mdounin@mdounin.ru> parents: 7466 diff changeset	786
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	787 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	788 if (conf->alpn.len) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	789 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	790 &conf->alpn);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	791 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	792 #endif
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	793
7904 419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	794 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	795 conf->prefer_server_ciphers)
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	796 != NGX_OK)
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	797 {
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	798 return NGX_CONF_ERROR;
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	799 }
419c066cb710 SSL: ciphers now set before loading certificates (ticket #2035). Maxim Dounin <mdounin@mdounin.ru> parents: 7787 diff changeset	800
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	801 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	802 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	803 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	804
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	805 if (conf->certificate_values) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	806
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	807 #ifdef SSL_R_CERT_CB_ERROR
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	808
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	809 /* install callback to lookup certificates */
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	810
7466 48c87377aabd SSL: fixed possible segfault with dynamic certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 7465 diff changeset	811 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf);
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	812
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	813 #else
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	814 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	815 "variables in "
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	816 "\"ssl_certificate\" and \"ssl_certificate_key\" "
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	817 "directives are not supported on this platform");
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	818 return NGX_CONF_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	819 #endif
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	820
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	821 } else {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	822
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	823 /* configure certificates */
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	824
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	825 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	826 conf->certificate_keys, conf->passwords)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	827 != NGX_OK)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	828 {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	829 return NGX_CONF_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	830 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	831 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	832
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	833 if (conf->verify) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	834
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	835 if (conf->client_certificate.len == 0 && conf->verify != 3) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	836 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7567 ef7ee19776db SSL: fixed ssl_verify_client error message. Sergey Kandaurov <pluknet@nginx.com> parents: 7473 diff changeset	837 "no ssl_client_certificate for ssl_verify_client");
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	838 return NGX_CONF_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	839 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	840
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	841 if (ngx_ssl_client_certificate(cf, &conf->ssl,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	842 &conf->client_certificate,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	843 conf->verify_depth)
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	844 != NGX_OK)
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	845 {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	846 return NGX_CONF_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	847 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	848
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	849 if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	850 &conf->trusted_certificate,
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	851 conf->verify_depth)
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	852 != NGX_OK)
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	853 {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	854 return NGX_CONF_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	855 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	856
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	857 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	858 return NGX_CONF_ERROR;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	859 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	860 }
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6817 diff changeset	861
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	862 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	863 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	864 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	865
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	866 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	867 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	868 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	869
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	870 ngx_conf_merge_value(conf->builtin_session_cache,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	871 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	872
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	873 if (conf->shm_zone == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	874 conf->shm_zone = prev->shm_zone;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	875 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	876
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	877 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx,
7465 6708bec13757 SSL: adjusted session id context with dynamic certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 7464 diff changeset	878 conf->certificates, conf->builtin_session_cache,
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	879 conf->shm_zone, conf->session_timeout)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	880 != NGX_OK)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	881 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	882 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	883 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	884
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	885 ngx_conf_merge_value(conf->session_tickets,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	886 prev->session_tickets, 1);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	887
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	888 #ifdef SSL_OP_NO_TICKET
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	889 if (!conf->session_tickets) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	890 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	891 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	892 #endif
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	893
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	894 ngx_conf_merge_ptr_value(conf->session_ticket_keys,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	895 prev->session_ticket_keys, NULL);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	896
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	897 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	898 != NGX_OK)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	899 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	900 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	901 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	902
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	903 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	904 return NGX_CONF_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	905 }
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	906
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	907 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	908 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	909
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	910
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	911 static ngx_int_t
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	912 ngx_stream_ssl_compile_certificates(ngx_conf_t *cf,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	913 ngx_stream_ssl_conf_t *conf)
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	914 {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	915 ngx_str_t cert, key;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	916 ngx_uint_t i, nelts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	917 ngx_stream_complex_value_t *cv;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	918 ngx_stream_compile_complex_value_t ccv;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	919
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	920 cert = conf->certificates->elts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	921 key = conf->certificate_keys->elts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	922 nelts = conf->certificates->nelts;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	923
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	924 for (i = 0; i < nelts; i++) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	925
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	926 if (ngx_stream_script_variables_count(&cert[i])) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	927 goto found;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	928 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	929
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	930 if (ngx_stream_script_variables_count(&key[i])) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	931 goto found;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	932 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	933 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	934
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	935 return NGX_OK;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	936
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	937 found:
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	938
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	939 conf->certificate_values = ngx_array_create(cf->pool, nelts,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	940 sizeof(ngx_stream_complex_value_t));
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	941 if (conf->certificate_values == NULL) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	942 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	943 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	944
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	945 conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	946 sizeof(ngx_stream_complex_value_t));
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	947 if (conf->certificate_key_values == NULL) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	948 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	949 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	950
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	951 for (i = 0; i < nelts; i++) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	952
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	953 cv = ngx_array_push(conf->certificate_values);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	954 if (cv == NULL) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	955 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	956 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	957
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	958 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t));
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	959
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	960 ccv.cf = cf;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	961 ccv.value = &cert[i];
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	962 ccv.complex_value = cv;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	963 ccv.zero = 1;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	964
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	965 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	966 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	967 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	968
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	969 cv = ngx_array_push(conf->certificate_key_values);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	970 if (cv == NULL) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	971 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	972 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	973
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	974 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t));
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	975
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	976 ccv.cf = cf;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	977 ccv.value = &key[i];
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	978 ccv.complex_value = cv;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	979 ccv.zero = 1;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	980
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	981 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	982 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	983 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	984 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	985
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	986 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	987 if (conf->passwords == NULL) {
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	988 return NGX_ERROR;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	989 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	990
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	991 return NGX_OK;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	992 }
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	993
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	994
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	995 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	996 ngx_stream_ssl_password_file(ngx_conf_t cf, ngx_command_t cmd, void *conf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	997 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	998 ngx_stream_ssl_conf_t *scf = conf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	999
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1000 ngx_str_t *value;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1001
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1002 if (scf->passwords != NGX_CONF_UNSET_PTR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1003 return "is duplicate";
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1004 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1005
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1006 value = cf->args->elts;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1007
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1008 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1009
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1010 if (scf->passwords == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1011 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1012 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1013
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1014 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1015 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1016
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1017
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1018 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1019 ngx_stream_ssl_session_cache(ngx_conf_t cf, ngx_command_t cmd, void *conf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1020 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1021 ngx_stream_ssl_conf_t *scf = conf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1022
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1023 size_t len;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1024 ngx_str_t *value, name, size;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1025 ngx_int_t n;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1026 ngx_uint_t i, j;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1027
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1028 value = cf->args->elts;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1029
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1030 for (i = 1; i < cf->args->nelts; i++) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1031
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1032 if (ngx_strcmp(value[i].data, "off") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1033 scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1034 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1035 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1036
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1037 if (ngx_strcmp(value[i].data, "none") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1038 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1039 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1040 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1041
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1042 if (ngx_strcmp(value[i].data, "builtin") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1043 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1044 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1045 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1046
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1047 if (value[i].len > sizeof("builtin:") - 1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1048 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1049 == 0)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1050 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1051 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1052 value[i].len - (sizeof("builtin:") - 1));
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1053
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1054 if (n == NGX_ERROR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1055 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1056 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1057
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1058 scf->builtin_session_cache = n;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1059
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1060 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1061 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1062
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1063 if (value[i].len > sizeof("shared:") - 1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1064 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1065 == 0)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1066 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1067 len = 0;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1068
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1069 for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1070 if (value[i].data[j] == ':') {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1071 break;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1072 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1073
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1074 len++;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1075 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1076
8088 e32b48848add SSL: improved validation of ssl_session_cache and ssl_ocsp_cache. Sergey Kandaurov <pluknet@nginx.com> parents: 7973 diff changeset	1077 if (len == 0 \|\| j == value[i].len) {
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1078 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1079 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1080
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1081 name.len = len;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1082 name.data = value[i].data + sizeof("shared:") - 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1083
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1084 size.len = value[i].len - j - 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1085 size.data = name.data + len + 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1086
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1087 n = ngx_parse_size(&size);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1088
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1089 if (n == NGX_ERROR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1090 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1091 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1092
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1093 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1094 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1095 "session cache \"%V\" is too small",
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1096 &value[i]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1097
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1098 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1099 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1100
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1101 scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1102 &ngx_stream_ssl_module);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1103 if (scf->shm_zone == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1104 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1105 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1106
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1107 scf->shm_zone->init = ngx_ssl_session_cache_init;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1108
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1109 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1110 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1111
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1112 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1113 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1114
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1115 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1116 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1117 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1118
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1119 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1120
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1121 invalid:
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1122
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1123 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1124 "invalid session cache \"%V\"", &value[i]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1125
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1126 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1127 }
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1128
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1129
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1130 static char *
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1131 ngx_stream_ssl_alpn(ngx_conf_t cf, ngx_command_t cmd, void *conf)
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1132 {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1133 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1134
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1135 ngx_stream_ssl_conf_t *scf = conf;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1136
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1137 u_char *p;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1138 size_t len;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1139 ngx_str_t *value;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1140 ngx_uint_t i;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1141
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1142 if (scf->alpn.len) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1143 return "is duplicate";
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1144 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1145
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1146 value = cf->args->elts;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1147
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1148 len = 0;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1149
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1150 for (i = 1; i < cf->args->nelts; i++) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1151
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1152 if (value[i].len > 255) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1153 return "protocol too long";
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1154 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1155
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1156 len += value[i].len + 1;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1157 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1158
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1159 scf->alpn.data = ngx_pnalloc(cf->pool, len);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1160 if (scf->alpn.data == NULL) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1161 return NGX_CONF_ERROR;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1162 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1163
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1164 p = scf->alpn.data;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1165
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1166 for (i = 1; i < cf->args->nelts; i++) {
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1167 *p++ = value[i].len;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1168 p = ngx_cpymem(p, value[i].data, value[i].len);
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1169 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1170
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1171 scf->alpn.len = len;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1172
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1173 return NGX_CONF_OK;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1174
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1175 #else
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1176 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1177 "the \"ssl_alpn\" directive requires OpenSSL "
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1178 "with ALPN support");
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1179 return NGX_CONF_ERROR;
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1180 #endif
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1181 }
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1182
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1183
b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7935 diff changeset	1184 static char *
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1185 ngx_stream_ssl_conf_command_check(ngx_conf_t cf, void post, void *data)
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1186 {
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1187 #ifndef SSL_CONF_FLAG_FILE
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1188 return "is not supported on this platform";
7787 7ce28b4cc57e SSL: fixed build by Sun C with old OpenSSL versions. Maxim Dounin <mdounin@mdounin.ru> parents: 7729 diff changeset	1189 #else
7ce28b4cc57e SSL: fixed build by Sun C with old OpenSSL versions. Maxim Dounin <mdounin@mdounin.ru> parents: 7729 diff changeset	1190 return NGX_CONF_OK;
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1191 #endif
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1192 }
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1193
3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7567 diff changeset	1194
6693 3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1195 static ngx_int_t
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1196 ngx_stream_ssl_init(ngx_conf_t *cf)
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1197 {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1198 ngx_stream_handler_pt *h;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1199 ngx_stream_core_main_conf_t *cmcf;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1200
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1201 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1202
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1203 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers);
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1204 if (h == NULL) {
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1205 return NGX_ERROR;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1206 }
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1207
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1208 *h = ngx_stream_ssl_handler;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1209
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1210 return NGX_OK;
3908156a51fa Stream: phases. Roman Arutyunyan <arut@nginx.com> parents: 6611 diff changeset	1211 }

Mercurial > hg > nginx

annotate src/stream/ngx_stream_ssl_module.c @ 9274:46ecad404a29 default tip