Mercurial > hg > nginx

comparison src/stream/ngx_stream_ssl_module.c @ 7729:3bff3f397c05

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: ssl_conf_command directive. With the ssl_conf_command directive it is now possible to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). In particular, this allows configuring PrioritizeChaCha option (ticket #1445): ssl_conf_command Options PrioritizeChaCha; It can be also used to configure TLSv1.3 ciphers in OpenSSL, which fails to configure them via the SSL_CTX_set_cipher_list() interface (ticket #1529): ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; Configuration commands are applied after nginx own configuration for SSL, so they can be used to override anything set by nginx. Note though that configuring OpenSSL directly with ssl_conf_command might result in a behaviour nginx does not expect, and should be done with care.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 22 Oct 2020 18:00:22 +0300
parents ef7ee19776db
children 7ce28b4cc57e
comparison
equal deleted inserted replaced
7728:485dba3e2a01 7729:3bff3f397c05
43 43
44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, 44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
45 void *conf); 45 void *conf);
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, 46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
47 void *conf); 47 void *conf);
48
49 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post,
50 void *data);
51
48 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); 52 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
49 53
50 54
51 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { 55 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = {
52 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, 56 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
66 { ngx_string("optional_no_ca"), 3 }, 70 { ngx_string("optional_no_ca"), 3 },
67 { ngx_null_string, 0 } 71 { ngx_null_string, 0 }
68 }; 72 };
69 73
70 74
75 static ngx_conf_post_t ngx_stream_ssl_conf_command_post =
76 { ngx_stream_ssl_conf_command_check };
77
78
71 static ngx_command_t ngx_stream_ssl_commands[] = { 79 static ngx_command_t ngx_stream_ssl_commands[] = {
72 80
73 { ngx_string("ssl_handshake_timeout"), 81 { ngx_string("ssl_handshake_timeout"),
74 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, 82 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
75 ngx_conf_set_msec_slot, 83 ngx_conf_set_msec_slot,
193 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, 201 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
194 ngx_conf_set_str_slot, 202 ngx_conf_set_str_slot,
195 NGX_STREAM_SRV_CONF_OFFSET, 203 NGX_STREAM_SRV_CONF_OFFSET,
196 offsetof(ngx_stream_ssl_conf_t, crl), 204 offsetof(ngx_stream_ssl_conf_t, crl),
197 NULL }, 205 NULL },
206
207 { ngx_string("ssl_conf_command"),
208 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
209 ngx_conf_set_keyval_slot,
210 NGX_STREAM_SRV_CONF_OFFSET,
211 offsetof(ngx_stream_ssl_conf_t, conf_commands),
212 &ngx_stream_ssl_conf_command_post },
198 213
199 ngx_null_command 214 ngx_null_command
200 }; 215 };
201 216
202 217
593 608
594 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; 609 scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
595 scf->certificates = NGX_CONF_UNSET_PTR; 610 scf->certificates = NGX_CONF_UNSET_PTR;
596 scf->certificate_keys = NGX_CONF_UNSET_PTR; 611 scf->certificate_keys = NGX_CONF_UNSET_PTR;
597 scf->passwords = NGX_CONF_UNSET_PTR; 612 scf->passwords = NGX_CONF_UNSET_PTR;
613 scf->conf_commands = NGX_CONF_UNSET_PTR;
598 scf->prefer_server_ciphers = NGX_CONF_UNSET; 614 scf->prefer_server_ciphers = NGX_CONF_UNSET;
599 scf->verify = NGX_CONF_UNSET_UINT; 615 scf->verify = NGX_CONF_UNSET_UINT;
600 scf->verify_depth = NGX_CONF_UNSET_UINT; 616 scf->verify_depth = NGX_CONF_UNSET_UINT;
601 scf->builtin_session_cache = NGX_CONF_UNSET; 617 scf->builtin_session_cache = NGX_CONF_UNSET;
602 scf->session_timeout = NGX_CONF_UNSET; 618 scf->session_timeout = NGX_CONF_UNSET;
647 663
648 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, 664 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
649 NGX_DEFAULT_ECDH_CURVE); 665 NGX_DEFAULT_ECDH_CURVE);
650 666
651 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 667 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
668
669 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
652 670
653 671
654 conf->ssl.log = cf->log; 672 conf->ssl.log = cf->log;
655 673
656 if (!conf->listen) { 674 if (!conf->listen) {
809 != NGX_OK) 827 != NGX_OK)
810 { 828 {
811 return NGX_CONF_ERROR; 829 return NGX_CONF_ERROR;
812 } 830 }
813 831
832 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
833 return NGX_CONF_ERROR;
834 }
835
814 return NGX_CONF_OK; 836 return NGX_CONF_OK;
815 } 837 }
816 838
817 839
818 static ngx_int_t 840 static ngx_int_t
1032 1054
1033 return NGX_CONF_ERROR; 1055 return NGX_CONF_ERROR;
1034 } 1056 }
1035 1057
1036 1058
1059 static char *
1060 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
1061 {
1062 #ifndef SSL_CONF_FLAG_FILE
1063 return "is not supported on this platform";
1064 #endif
1065
1066 return NGX_CONF_OK;
1067 }
1068
1069
1037 static ngx_int_t 1070 static ngx_int_t
1038 ngx_stream_ssl_init(ngx_conf_t *cf) 1071 ngx_stream_ssl_init(ngx_conf_t *cf)
1039 { 1072 {
1040 ngx_stream_handler_pt *h; 1073 ngx_stream_handler_pt *h;
1041 ngx_stream_core_main_conf_t *cmcf; 1074 ngx_stream_core_main_conf_t *cmcf;