nginx: src/http/modules/ngx_http_ssl

comparison src/http/modules/ngx_http_ssl_module.c @ 7729:3bff3f397c05

SSL: ssl_conf_command directive. With the ssl_conf_command directive it is now possible to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). In particular, this allows configuring PrioritizeChaCha option (ticket #1445): ssl_conf_command Options PrioritizeChaCha; It can be also used to configure TLSv1.3 ciphers in OpenSSL, which fails to configure them via the SSL_CTX_set_cipher_list() interface (ticket #1529): ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; Configuration commands are applied after nginx own configuration for SSL, so they can be used to override anything set by nginx. Note though that configuring OpenSSL directly with ssl_conf_command might result in a behaviour nginx does not expect, and should be done with care.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 22 Oct 2020 18:00:22 +0300
parents	b56f725dd4bb
children	59e1c73fe02b

comparison

equal deleted inserted replaced

-:485dba3e2a01
+:3bff3f397c05
 void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
 void *conf);
+static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+void *data);
 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
 static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
 static ngx_conf_deprecated_t  ngx_http_ssl_deprecated = {
 ngx_conf_deprecated, "ssl", "listen ... ssl"
 };
+static ngx_conf_post_t  ngx_http_ssl_conf_command_post =
+{ ngx_http_ssl_conf_command_check };
 static ngx_command_t  ngx_http_ssl_commands[] = {
 { ngx_string("ssl"),
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
 ngx_http_ssl_enable,
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
 ngx_conf_set_flag_slot,
 NGX_HTTP_SRV_CONF_OFFSET,
 offsetof(ngx_http_ssl_srv_conf_t, early_data),
 NULL },
+{ ngx_string("ssl_conf_command"),
+NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
+ngx_conf_set_keyval_slot,
+NGX_HTTP_SRV_CONF_OFFSET,
+offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
+&ngx_http_ssl_conf_command_post },
 ngx_null_command
 };
 sscf->verify = NGX_CONF_UNSET_UINT;
 sscf->verify_depth = NGX_CONF_UNSET_UINT;
 sscf->certificates = NGX_CONF_UNSET_PTR;
 sscf->certificate_keys = NGX_CONF_UNSET_PTR;
 sscf->passwords = NGX_CONF_UNSET_PTR;
+sscf->conf_commands = NGX_CONF_UNSET_PTR;
 sscf->builtin_session_cache = NGX_CONF_UNSET;
 sscf->session_timeout = NGX_CONF_UNSET;
 sscf->session_tickets = NGX_CONF_UNSET;
 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
 sscf->ocsp = NGX_CONF_UNSET_UINT;
 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
 NGX_DEFAULT_ECDH_CURVE);
 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
 prev->ocsp_cache_zone, NULL);
 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
+if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
+return NGX_CONF_ERROR;
+}
 return NGX_CONF_OK;
 }
 static ngx_int_t
 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
 "invalid OCSP cache \"%V\"", &value[1]);
 return NGX_CONF_ERROR;
+}
+static char *
+ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+return "is not supported on this platform";
+#endif
+return NGX_CONF_OK;
 }
 static ngx_int_t
 ngx_http_ssl_init(ngx_conf_t *cf)

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7729:3bff3f397c05