Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 6550:51e1f047d15d
SSL: support for multiple certificates (ticket #814).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | c256dfdd469d |
children | 2014ed60f17f |
comparison
equal
deleted
inserted
replaced
6549:d3302eb87a0c | 6550:51e1f047d15d |
---|---|
79 offsetof(ngx_http_ssl_srv_conf_t, enable), | 79 offsetof(ngx_http_ssl_srv_conf_t, enable), |
80 NULL }, | 80 NULL }, |
81 | 81 |
82 { ngx_string("ssl_certificate"), | 82 { ngx_string("ssl_certificate"), |
83 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 83 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
84 ngx_conf_set_str_slot, | 84 ngx_conf_set_str_array_slot, |
85 NGX_HTTP_SRV_CONF_OFFSET, | 85 NGX_HTTP_SRV_CONF_OFFSET, |
86 offsetof(ngx_http_ssl_srv_conf_t, certificate), | 86 offsetof(ngx_http_ssl_srv_conf_t, certificates), |
87 NULL }, | 87 NULL }, |
88 | 88 |
89 { ngx_string("ssl_certificate_key"), | 89 { ngx_string("ssl_certificate_key"), |
90 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 90 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
91 ngx_conf_set_str_slot, | 91 ngx_conf_set_str_array_slot, |
92 NGX_HTTP_SRV_CONF_OFFSET, | 92 NGX_HTTP_SRV_CONF_OFFSET, |
93 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), | 93 offsetof(ngx_http_ssl_srv_conf_t, certificate_keys), |
94 NULL }, | 94 NULL }, |
95 | 95 |
96 { ngx_string("ssl_password_file"), | 96 { ngx_string("ssl_password_file"), |
97 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 97 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
98 ngx_http_ssl_password_file, | 98 ngx_http_ssl_password_file, |
506 | 506 |
507 /* | 507 /* |
508 * set by ngx_pcalloc(): | 508 * set by ngx_pcalloc(): |
509 * | 509 * |
510 * sscf->protocols = 0; | 510 * sscf->protocols = 0; |
511 * sscf->certificate = { 0, NULL }; | |
512 * sscf->certificate_key = { 0, NULL }; | |
513 * sscf->dhparam = { 0, NULL }; | 511 * sscf->dhparam = { 0, NULL }; |
514 * sscf->ecdh_curve = { 0, NULL }; | 512 * sscf->ecdh_curve = { 0, NULL }; |
515 * sscf->client_certificate = { 0, NULL }; | 513 * sscf->client_certificate = { 0, NULL }; |
516 * sscf->trusted_certificate = { 0, NULL }; | 514 * sscf->trusted_certificate = { 0, NULL }; |
517 * sscf->crl = { 0, NULL }; | 515 * sscf->crl = { 0, NULL }; |
524 sscf->enable = NGX_CONF_UNSET; | 522 sscf->enable = NGX_CONF_UNSET; |
525 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 523 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
526 sscf->buffer_size = NGX_CONF_UNSET_SIZE; | 524 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
527 sscf->verify = NGX_CONF_UNSET_UINT; | 525 sscf->verify = NGX_CONF_UNSET_UINT; |
528 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 526 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
527 sscf->certificates = NGX_CONF_UNSET_PTR; | |
528 sscf->certificate_keys = NGX_CONF_UNSET_PTR; | |
529 sscf->passwords = NGX_CONF_UNSET_PTR; | 529 sscf->passwords = NGX_CONF_UNSET_PTR; |
530 sscf->builtin_session_cache = NGX_CONF_UNSET; | 530 sscf->builtin_session_cache = NGX_CONF_UNSET; |
531 sscf->session_timeout = NGX_CONF_UNSET; | 531 sscf->session_timeout = NGX_CONF_UNSET; |
532 sscf->session_tickets = NGX_CONF_UNSET; | 532 sscf->session_tickets = NGX_CONF_UNSET; |
533 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 533 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
571 NGX_SSL_BUFSIZE); | 571 NGX_SSL_BUFSIZE); |
572 | 572 |
573 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); | 573 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
574 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | 574 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
575 | 575 |
576 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); | 576 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
577 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | 577 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
578 NULL); | |
578 | 579 |
579 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | 580 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
580 | 581 |
581 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 582 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
582 | 583 |
599 | 600 |
600 conf->ssl.log = cf->log; | 601 conf->ssl.log = cf->log; |
601 | 602 |
602 if (conf->enable) { | 603 if (conf->enable) { |
603 | 604 |
604 if (conf->certificate.len == 0) { | 605 if (conf->certificates == NULL) { |
605 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 606 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
606 "no \"ssl_certificate\" is defined for " | 607 "no \"ssl_certificate\" is defined for " |
607 "the \"ssl\" directive in %s:%ui", | 608 "the \"ssl\" directive in %s:%ui", |
608 conf->file, conf->line); | 609 conf->file, conf->line); |
609 return NGX_CONF_ERROR; | 610 return NGX_CONF_ERROR; |
610 } | 611 } |
611 | 612 |
612 if (conf->certificate_key.len == 0) { | 613 if (conf->certificate_keys == NULL) { |
613 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 614 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
614 "no \"ssl_certificate_key\" is defined for " | 615 "no \"ssl_certificate_key\" is defined for " |
615 "the \"ssl\" directive in %s:%ui", | 616 "the \"ssl\" directive in %s:%ui", |
616 conf->file, conf->line); | 617 conf->file, conf->line); |
617 return NGX_CONF_ERROR; | 618 return NGX_CONF_ERROR; |
618 } | 619 } |
619 | 620 |
620 } else { | 621 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
621 | |
622 if (conf->certificate.len == 0) { | |
623 return NGX_CONF_OK; | |
624 } | |
625 | |
626 if (conf->certificate_key.len == 0) { | |
627 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 622 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
628 "no \"ssl_certificate_key\" is defined " | 623 "no \"ssl_certificate_key\" is defined " |
629 "for certificate \"%V\"", &conf->certificate); | 624 "for certificate \"%V\" and " |
625 "the \"ssl\" directive in %s:%ui", | |
626 ((ngx_str_t *) conf->certificates->elts) | |
627 + conf->certificates->nelts - 1, | |
628 conf->file, conf->line); | |
629 return NGX_CONF_ERROR; | |
630 } | |
631 | |
632 } else { | |
633 | |
634 if (conf->certificates == NULL) { | |
635 return NGX_CONF_OK; | |
636 } | |
637 | |
638 if (conf->certificate_keys == NULL | |
639 || conf->certificate_keys->nelts < conf->certificates->nelts) | |
640 { | |
641 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
642 "no \"ssl_certificate_key\" is defined " | |
643 "for certificate \"%V\"", | |
644 ((ngx_str_t *) conf->certificates->elts) | |
645 + conf->certificates->nelts - 1); | |
630 return NGX_CONF_ERROR; | 646 return NGX_CONF_ERROR; |
631 } | 647 } |
632 } | 648 } |
633 | 649 |
634 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { | 650 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
664 } | 680 } |
665 | 681 |
666 cln->handler = ngx_ssl_cleanup_ctx; | 682 cln->handler = ngx_ssl_cleanup_ctx; |
667 cln->data = &conf->ssl; | 683 cln->data = &conf->ssl; |
668 | 684 |
669 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | 685 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
670 &conf->certificate_key, conf->passwords) | 686 conf->certificate_keys, conf->passwords) |
671 != NGX_OK) | 687 != NGX_OK) |
672 { | 688 { |
673 return NGX_CONF_ERROR; | 689 return NGX_CONF_ERROR; |
674 } | 690 } |
675 | 691 |