Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 4875:386a06a22c40

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: loading OCSP responses. This includes the ssl_stapling_responder directive (defaults to OCSP responder set in certificate's AIA extension). OCSP response for a given certificate is requested once we get at least one connection with certificate_status extension in ClientHello, and certificate status won't be sent in the connection in question. This due to limitations in the OpenSSL API (certificate status callback is blocking). Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't allow to access the certificate loaded via SSL_CTX.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 01 Oct 2012 12:47:55 +0000
parents dd74fd35ceb5
children 4a804fd04e6c
comparison
equal deleted inserted replaced
4874:d1a20423c425 4875:386a06a22c40
30 30
31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
32 void *conf); 32 void *conf);
33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
34 void *conf); 34 void *conf);
35
36 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
35 37
36 38
37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { 39 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
171 ngx_conf_set_str_slot, 173 ngx_conf_set_str_slot,
172 NGX_HTTP_SRV_CONF_OFFSET, 174 NGX_HTTP_SRV_CONF_OFFSET,
173 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), 175 offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
174 NULL }, 176 NULL },
175 177
178 { ngx_string("ssl_stapling_responder"),
179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
180 ngx_conf_set_str_slot,
181 NGX_HTTP_SRV_CONF_OFFSET,
182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
183 NULL },
184
176 ngx_null_command 185 ngx_null_command
177 }; 186 };
178 187
179 188
180 static ngx_http_module_t ngx_http_ssl_module_ctx = { 189 static ngx_http_module_t ngx_http_ssl_module_ctx = {
181 ngx_http_ssl_add_variables, /* preconfiguration */ 190 ngx_http_ssl_add_variables, /* preconfiguration */
182 NULL, /* postconfiguration */ 191 ngx_http_ssl_init, /* postconfiguration */
183 192
184 NULL, /* create main configuration */ 193 NULL, /* create main configuration */
185 NULL, /* init main configuration */ 194 NULL, /* init main configuration */
186 195
187 ngx_http_ssl_create_srv_conf, /* create server configuration */ 196 ngx_http_ssl_create_srv_conf, /* create server configuration */
349 * sscf->trusted_certificate = { 0, NULL }; 358 * sscf->trusted_certificate = { 0, NULL };
350 * sscf->crl = { 0, NULL }; 359 * sscf->crl = { 0, NULL };
351 * sscf->ciphers = { 0, NULL }; 360 * sscf->ciphers = { 0, NULL };
352 * sscf->shm_zone = NULL; 361 * sscf->shm_zone = NULL;
353 * sscf->stapling_file = { 0, NULL }; 362 * sscf->stapling_file = { 0, NULL };
363 * sscf->stapling_responder = { 0, NULL };
354 */ 364 */
355 365
356 sscf->enable = NGX_CONF_UNSET; 366 sscf->enable = NGX_CONF_UNSET;
357 sscf->prefer_server_ciphers = NGX_CONF_UNSET; 367 sscf->prefer_server_ciphers = NGX_CONF_UNSET;
358 sscf->verify = NGX_CONF_UNSET_UINT; 368 sscf->verify = NGX_CONF_UNSET_UINT;
413 423
414 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 424 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
415 425
416 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); 426 ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
417 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); 427 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
428 ngx_conf_merge_str_value(conf->stapling_responder,
429 prev->stapling_responder, "");
418 430
419 conf->ssl.log = cf->log; 431 conf->ssl.log = cf->log;
420 432
421 if (conf->enable) { 433 if (conf->enable) {
422 434
549 != NGX_OK) 561 != NGX_OK)
550 { 562 {
551 return NGX_CONF_ERROR; 563 return NGX_CONF_ERROR;
552 } 564 }
553 565
554 if (conf->stapling 566 if (conf->stapling) {
555 && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK) 567
556 { 568 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder,
557 return NGX_CONF_ERROR; 569 &conf->stapling_file)
570 != NGX_OK)
571 {
572 return NGX_CONF_ERROR;
573 }
574
558 } 575 }
559 576
560 return NGX_CONF_OK; 577 return NGX_CONF_OK;
561 } 578 }
562 579
690 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, 707 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
691 "invalid session cache \"%V\"", &value[i]); 708 "invalid session cache \"%V\"", &value[i]);
692 709
693 return NGX_CONF_ERROR; 710 return NGX_CONF_ERROR;
694 } 711 }
712
713
714 static ngx_int_t
715 ngx_http_ssl_init(ngx_conf_t *cf)
716 {
717 ngx_uint_t s;
718 ngx_http_ssl_srv_conf_t *sscf;
719 ngx_http_core_loc_conf_t *clcf;
720 ngx_http_core_srv_conf_t **cscfp;
721 ngx_http_core_main_conf_t *cmcf;
722
723 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
724 cscfp = cmcf->servers.elts;
725
726 for (s = 0; s < cmcf->servers.nelts; s++) {
727
728 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
729
730 if (!sscf->stapling) {
731 continue;
732 }
733
734 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
735
736 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
737 clcf->resolver_timeout)
738 != NGX_OK)
739 {
740 return NGX_ERROR;
741 }
742 }
743
744 return NGX_OK;
745 }