Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 3243:08570d26c7c5 stable-0.7
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
various SSL fixes and features:
*) $ssl_client_verify
*) "ssl_verify_client ask" was changed to "ssl_verify_client optional"
*) ssl_crl
*) delete OpenSSL pre-0.9.7 compatibility: the sources were not actually
compatible with OpenSSL 0.9.6 since ssl_session_cache introduction
*) fix memory corruption in $ssl_client_cert
*) issue SNI warning instead of failure: this is too common case
*) use ngx_log_error(), since OpenSSL does not set an error on the failure
*) add SNI support in -V output
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 26 Oct 2009 16:53:34 +0000 |
parents | 2efa8d2fcde1 |
children | 966f9cf9c7da |
comparison
equal
deleted
inserted
replaced
3242:f678ea405737 | 3243:08570d26c7c5 |
---|---|
28 | 28 |
29 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 29 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
30 void *conf); | 30 void *conf); |
31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | 32 void *conf); |
33 | |
34 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | |
35 | |
36 static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, | |
37 void *conf); | |
38 | |
39 static char ngx_http_ssl_openssl097[] = "OpenSSL 0.9.7 and higher"; | |
40 | |
41 #endif | |
42 | 33 |
43 | 34 |
44 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 35 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
45 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 36 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
46 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 37 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
50 | 41 |
51 | 42 |
52 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | 43 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
53 { ngx_string("off"), 0 }, | 44 { ngx_string("off"), 0 }, |
54 { ngx_string("on"), 1 }, | 45 { ngx_string("on"), 1 }, |
55 { ngx_string("ask"), 2 }, | 46 { ngx_string("optional"), 2 }, |
56 { ngx_null_string, 0 } | 47 { ngx_null_string, 0 } |
57 }; | 48 }; |
58 | 49 |
59 | 50 |
60 static ngx_command_t ngx_http_ssl_commands[] = { | 51 static ngx_command_t ngx_http_ssl_commands[] = { |
122 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | 113 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), |
123 NULL }, | 114 NULL }, |
124 | 115 |
125 { ngx_string("ssl_prefer_server_ciphers"), | 116 { ngx_string("ssl_prefer_server_ciphers"), |
126 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 117 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
127 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | |
128 ngx_conf_set_flag_slot, | 118 ngx_conf_set_flag_slot, |
129 NGX_HTTP_SRV_CONF_OFFSET, | 119 NGX_HTTP_SRV_CONF_OFFSET, |
130 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | 120 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), |
131 NULL }, | 121 NULL }, |
132 #else | |
133 ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, | |
134 #endif | |
135 | 122 |
136 { ngx_string("ssl_session_cache"), | 123 { ngx_string("ssl_session_cache"), |
137 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | 124 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, |
138 ngx_http_ssl_session_cache, | 125 ngx_http_ssl_session_cache, |
139 NGX_HTTP_SRV_CONF_OFFSET, | 126 NGX_HTTP_SRV_CONF_OFFSET, |
143 { ngx_string("ssl_session_timeout"), | 130 { ngx_string("ssl_session_timeout"), |
144 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 131 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
145 ngx_conf_set_sec_slot, | 132 ngx_conf_set_sec_slot, |
146 NGX_HTTP_SRV_CONF_OFFSET, | 133 NGX_HTTP_SRV_CONF_OFFSET, |
147 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | 134 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), |
135 NULL }, | |
136 | |
137 { ngx_string("ssl_crl"), | |
138 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
139 ngx_conf_set_str_slot, | |
140 NGX_HTTP_SRV_CONF_OFFSET, | |
141 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
148 NULL }, | 142 NULL }, |
149 | 143 |
150 ngx_null_command | 144 ngx_null_command |
151 }; | 145 }; |
152 | 146 |
204 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 198 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
205 | 199 |
206 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | 200 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, |
207 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 201 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
208 | 202 |
203 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, | |
204 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
205 | |
209 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 206 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
210 }; | 207 }; |
211 | 208 |
212 | 209 |
213 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); | 210 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
311 * sscf->protocols = 0; | 308 * sscf->protocols = 0; |
312 * sscf->certificate = { 0, NULL }; | 309 * sscf->certificate = { 0, NULL }; |
313 * sscf->certificate_key = { 0, NULL }; | 310 * sscf->certificate_key = { 0, NULL }; |
314 * sscf->dhparam = { 0, NULL }; | 311 * sscf->dhparam = { 0, NULL }; |
315 * sscf->client_certificate = { 0, NULL }; | 312 * sscf->client_certificate = { 0, NULL }; |
313 * sscf->crl = { 0, NULL }; | |
316 * sscf->ciphers.len = 0; | 314 * sscf->ciphers.len = 0; |
317 * sscf->ciphers.data = NULL; | 315 * sscf->ciphers.data = NULL; |
318 * sscf->shm_zone = NULL; | 316 * sscf->shm_zone = NULL; |
319 */ | 317 */ |
320 | 318 |
357 | 355 |
358 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 356 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
359 | 357 |
360 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 358 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
361 ""); | 359 ""); |
360 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | |
362 | 361 |
363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 362 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
364 | 363 |
365 | 364 |
366 conf->ssl.log = cf->log; | 365 conf->ssl.log = cf->log; |
405 | 404 |
406 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | 405 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
407 ngx_http_ssl_servername) | 406 ngx_http_ssl_servername) |
408 == 0) | 407 == 0) |
409 { | 408 { |
410 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 409 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
411 "SSL_CTX_set_tlsext_servername_callback() failed"); | 410 "nginx was built with SNI support, however, now it is linked " |
412 return NGX_CONF_ERROR; | 411 "dynamically to an OpenSSL library which has no tlsext support, " |
412 "therefore SNI is not available"); | |
413 } | 413 } |
414 | 414 |
415 #endif | 415 #endif |
416 | 416 |
417 cln = ngx_pool_cleanup_add(cf->pool, 0); | 417 cln = ngx_pool_cleanup_add(cf->pool, 0); |
451 conf->verify_depth) | 451 conf->verify_depth) |
452 != NGX_OK) | 452 != NGX_OK) |
453 { | 453 { |
454 return NGX_CONF_ERROR; | 454 return NGX_CONF_ERROR; |
455 } | 455 } |
456 } | 456 |
457 | 457 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
458 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | 458 return NGX_CONF_ERROR; |
459 } | |
460 } | |
459 | 461 |
460 if (conf->prefer_server_ciphers) { | 462 if (conf->prefer_server_ciphers) { |
461 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 463 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
462 } | 464 } |
463 | |
464 #endif | |
465 | 465 |
466 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | 466 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
467 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 467 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
468 return NGX_CONF_ERROR; | 468 return NGX_CONF_ERROR; |
469 } | 469 } |
618 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 618 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
619 "invalid session cache \"%V\"", &value[i]); | 619 "invalid session cache \"%V\"", &value[i]); |
620 | 620 |
621 return NGX_CONF_ERROR; | 621 return NGX_CONF_ERROR; |
622 } | 622 } |
623 | |
624 | |
625 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | |
626 | |
627 static char * | |
628 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
629 { | |
630 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
631 "\"%V\" directive is available only in %s,", | |
632 &cmd->name, cmd->post); | |
633 | |
634 return NGX_CONF_ERROR; | |
635 } | |
636 | |
637 #endif |