Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7729:3bff3f397c05

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: ssl_conf_command directive. With the ssl_conf_command directive it is now possible to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). In particular, this allows configuring PrioritizeChaCha option (ticket #1445): ssl_conf_command Options PrioritizeChaCha; It can be also used to configure TLSv1.3 ciphers in OpenSSL, which fails to configure them via the SSL_CTX_set_cipher_list() interface (ticket #1529): ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; Configuration commands are applied after nginx own configuration for SSL, so they can be used to override anything set by nginx. Note though that configuring OpenSSL directly with ssl_conf_command might result in a behaviour nginx does not expect, and should be done with care.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 22 Oct 2020 18:00:22 +0300
parents 052ecc68d350
children 59e1c73fe02b
comparison
equal deleted inserted replaced
7728:485dba3e2a01 7729:3bff3f397c05
1465 "\"ssl_early_data\" is not supported on this platform, " 1465 "\"ssl_early_data\" is not supported on this platform, "
1466 "ignored"); 1466 "ignored");
1467 #endif 1467 #endif
1468 1468
1469 return NGX_OK; 1469 return NGX_OK;
1470 }
1471
1472
1473 ngx_int_t
1474 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands)
1475 {
1476 if (commands == NULL) {
1477 return NGX_OK;
1478 }
1479
1480 #ifdef SSL_CONF_FLAG_FILE
1481 {
1482 int type;
1483 u_char *key, *value;
1484 ngx_uint_t i;
1485 ngx_keyval_t *cmd;
1486 SSL_CONF_CTX *cctx;
1487
1488 cctx = SSL_CONF_CTX_new();
1489 if (cctx == NULL) {
1490 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1491 "SSL_CONF_CTX_new() failed");
1492 return NGX_ERROR;
1493 }
1494
1495 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
1496 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
1497 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
1498 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
1499 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
1500
1501 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx);
1502
1503 cmd = commands->elts;
1504 for (i = 0; i < commands->nelts; i++) {
1505
1506 key = cmd[i].key.data;
1507 type = SSL_CONF_cmd_value_type(cctx, (char *) key);
1508
1509 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) {
1510 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) {
1511 SSL_CONF_CTX_free(cctx);
1512 return NGX_ERROR;
1513 }
1514 }
1515
1516 value = cmd[i].value.data;
1517
1518 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) {
1519 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1520 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value);
1521 SSL_CONF_CTX_free(cctx);
1522 return NGX_ERROR;
1523 }
1524 }
1525
1526 if (SSL_CONF_CTX_finish(cctx) != 1) {
1527 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1528 "SSL_CONF_finish() failed");
1529 SSL_CONF_CTX_free(cctx);
1530 return NGX_ERROR;
1531 }
1532
1533 SSL_CONF_CTX_free(cctx);
1534
1535 return NGX_OK;
1536 }
1537 #else
1538 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
1539 "SSL_CONF_cmd() is not available on this platform");
1540 return NGX_ERROR;
1541 #endif
1470 } 1542 }
1471 1543
1472 1544
1473 ngx_int_t 1545 ngx_int_t
1474 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) 1546 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)