Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 5425:1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
| author | Piotr Sikora <piotr@cloudflare.com> |
|---|---|
| date | Fri, 11 Oct 2013 16:05:24 -0700 |
| parents | 0fbcfab0bfd7 |
| children | a297b7ad6f94 |
comparison
equal
deleted
inserted
replaced
| 5424:767aa37f12de | 5425:1356a3b96924 |
|---|---|
| 149 { ngx_string("ssl_session_cache"), | 149 { ngx_string("ssl_session_cache"), |
| 150 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | 150 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, |
| 151 ngx_http_ssl_session_cache, | 151 ngx_http_ssl_session_cache, |
| 152 NGX_HTTP_SRV_CONF_OFFSET, | 152 NGX_HTTP_SRV_CONF_OFFSET, |
| 153 0, | 153 0, |
| 154 NULL }, | |
| 155 | |
| 156 { ngx_string("ssl_session_ticket_key"), | |
| 157 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
| 158 ngx_conf_set_str_array_slot, | |
| 159 NGX_HTTP_SRV_CONF_OFFSET, | |
| 160 offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys), | |
| 154 NULL }, | 161 NULL }, |
| 155 | 162 |
| 156 { ngx_string("ssl_session_timeout"), | 163 { ngx_string("ssl_session_timeout"), |
| 157 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 164 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
| 158 ngx_conf_set_sec_slot, | 165 ngx_conf_set_sec_slot, |
| 419 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 426 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 420 sscf->verify = NGX_CONF_UNSET_UINT; | 427 sscf->verify = NGX_CONF_UNSET_UINT; |
| 421 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 428 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
| 422 sscf->builtin_session_cache = NGX_CONF_UNSET; | 429 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 423 sscf->session_timeout = NGX_CONF_UNSET; | 430 sscf->session_timeout = NGX_CONF_UNSET; |
| 431 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
| 424 sscf->stapling = NGX_CONF_UNSET; | 432 sscf->stapling = NGX_CONF_UNSET; |
| 425 sscf->stapling_verify = NGX_CONF_UNSET; | 433 sscf->stapling_verify = NGX_CONF_UNSET; |
| 426 | 434 |
| 427 return sscf; | 435 return sscf; |
| 428 } | 436 } |
| 621 != NGX_OK) | 629 != NGX_OK) |
| 622 { | 630 { |
| 623 return NGX_CONF_ERROR; | 631 return NGX_CONF_ERROR; |
| 624 } | 632 } |
| 625 | 633 |
| 634 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
| 635 prev->session_ticket_keys, NULL); | |
| 636 | |
| 637 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
| 638 != NGX_OK) | |
| 639 { | |
| 640 return NGX_CONF_ERROR; | |
| 641 } | |
| 642 | |
| 626 if (conf->stapling) { | 643 if (conf->stapling) { |
| 627 | 644 |
| 628 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, | 645 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
| 629 &conf->stapling_responder, conf->stapling_verify) | 646 &conf->stapling_responder, conf->stapling_verify) |
| 630 != NGX_OK) | 647 != NGX_OK) |