Mercurial > hg > nginx
comparison src/mail/ngx_mail_auth_http_module.c @ 7905:13d0c1d26d47
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134).
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.
This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.
author | Rob Mueller <robm@fastmail.fm> |
---|---|
date | Fri, 13 Aug 2021 03:57:47 -0400 |
parents | 777373b5a169 |
children | 46ecad404a29 |
comparison
equal
deleted
inserted
replaced
7904:419c066cb710 | 7905:13d0c1d26d47 |
---|---|
1135 size_t len; | 1135 size_t len; |
1136 ngx_buf_t *b; | 1136 ngx_buf_t *b; |
1137 ngx_str_t login, passwd; | 1137 ngx_str_t login, passwd; |
1138 ngx_connection_t *c; | 1138 ngx_connection_t *c; |
1139 #if (NGX_MAIL_SSL) | 1139 #if (NGX_MAIL_SSL) |
1140 ngx_str_t verify, subject, issuer, serial, fingerprint, | 1140 ngx_str_t protocol, cipher, verify, subject, issuer, |
1141 raw_cert, cert; | 1141 serial, fingerprint, raw_cert, cert; |
1142 ngx_mail_ssl_conf_t *sslcf; | 1142 ngx_mail_ssl_conf_t *sslcf; |
1143 #endif | 1143 #endif |
1144 ngx_mail_core_srv_conf_t *cscf; | 1144 ngx_mail_core_srv_conf_t *cscf; |
1145 | 1145 |
1146 if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) { | 1146 if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) { |
1152 } | 1152 } |
1153 | 1153 |
1154 c = s->connection; | 1154 c = s->connection; |
1155 | 1155 |
1156 #if (NGX_MAIL_SSL) | 1156 #if (NGX_MAIL_SSL) |
1157 | |
1158 if (c->ssl) { | |
1159 | |
1160 if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) { | |
1161 return NULL; | |
1162 } | |
1163 | |
1164 protocol.len = ngx_strlen(protocol.data); | |
1165 | |
1166 if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) { | |
1167 return NULL; | |
1168 } | |
1169 | |
1170 cipher.len = ngx_strlen(cipher.data); | |
1171 | |
1172 } else { | |
1173 ngx_str_null(&protocol); | |
1174 ngx_str_null(&cipher); | |
1175 } | |
1157 | 1176 |
1158 sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); | 1177 sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); |
1159 | 1178 |
1160 if (c->ssl && sslcf->verify) { | 1179 if (c->ssl && sslcf->verify) { |
1161 | 1180 |
1250 | 1269 |
1251 #if (NGX_MAIL_SSL) | 1270 #if (NGX_MAIL_SSL) |
1252 | 1271 |
1253 if (c->ssl) { | 1272 if (c->ssl) { |
1254 len += sizeof("Auth-SSL: on" CRLF) - 1 | 1273 len += sizeof("Auth-SSL: on" CRLF) - 1 |
1274 + sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len | |
1275 + sizeof(CRLF) - 1 | |
1276 + sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len | |
1277 + sizeof(CRLF) - 1 | |
1255 + sizeof("Auth-SSL-Verify: ") - 1 + verify.len | 1278 + sizeof("Auth-SSL-Verify: ") - 1 + verify.len |
1256 + sizeof(CRLF) - 1 | 1279 + sizeof(CRLF) - 1 |
1257 + sizeof("Auth-SSL-Subject: ") - 1 + subject.len | 1280 + sizeof("Auth-SSL-Subject: ") - 1 + subject.len |
1258 + sizeof(CRLF) - 1 | 1281 + sizeof(CRLF) - 1 |
1259 + sizeof("Auth-SSL-Issuer: ") - 1 + issuer.len | 1282 + sizeof("Auth-SSL-Issuer: ") - 1 + issuer.len |
1371 | 1394 |
1372 if (c->ssl) { | 1395 if (c->ssl) { |
1373 b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF, | 1396 b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF, |
1374 sizeof("Auth-SSL: on" CRLF) - 1); | 1397 sizeof("Auth-SSL: on" CRLF) - 1); |
1375 | 1398 |
1399 if (protocol.len) { | |
1400 b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ", | |
1401 sizeof("Auth-SSL-Protocol: ") - 1); | |
1402 b->last = ngx_copy(b->last, protocol.data, protocol.len); | |
1403 *b->last++ = CR; *b->last++ = LF; | |
1404 } | |
1405 | |
1406 if (cipher.len) { | |
1407 b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ", | |
1408 sizeof("Auth-SSL-Cipher: ") - 1); | |
1409 b->last = ngx_copy(b->last, cipher.data, cipher.len); | |
1410 *b->last++ = CR; *b->last++ = LF; | |
1411 } | |
1412 | |
1376 if (verify.len) { | 1413 if (verify.len) { |
1377 b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ", | 1414 b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ", |
1378 sizeof("Auth-SSL-Verify: ") - 1); | 1415 sizeof("Auth-SSL-Verify: ") - 1); |
1379 b->last = ngx_copy(b->last, verify.data, verify.len); | 1416 b->last = ngx_copy(b->last, verify.data, verify.len); |
1380 *b->last++ = CR; *b->last++ = LF; | 1417 *b->last++ = CR; *b->last++ = LF; |