Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 6550:51e1f047d15d
SSL: support for multiple certificates (ticket #814).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | c256dfdd469d |
| children | 2014ed60f17f |
comparison
equal
deleted
inserted
replaced
| 6549:d3302eb87a0c | 6550:51e1f047d15d |
|---|---|
| 43 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | 43 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), |
| 44 NULL }, | 44 NULL }, |
| 45 | 45 |
| 46 { ngx_string("ssl_certificate"), | 46 { ngx_string("ssl_certificate"), |
| 47 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 47 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
| 48 ngx_conf_set_str_slot, | 48 ngx_conf_set_str_array_slot, |
| 49 NGX_STREAM_SRV_CONF_OFFSET, | 49 NGX_STREAM_SRV_CONF_OFFSET, |
| 50 offsetof(ngx_stream_ssl_conf_t, certificate), | 50 offsetof(ngx_stream_ssl_conf_t, certificates), |
| 51 NULL }, | 51 NULL }, |
| 52 | 52 |
| 53 { ngx_string("ssl_certificate_key"), | 53 { ngx_string("ssl_certificate_key"), |
| 54 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 54 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
| 55 ngx_conf_set_str_slot, | 55 ngx_conf_set_str_array_slot, |
| 56 NGX_STREAM_SRV_CONF_OFFSET, | 56 NGX_STREAM_SRV_CONF_OFFSET, |
| 57 offsetof(ngx_stream_ssl_conf_t, certificate_key), | 57 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
| 58 NULL }, | 58 NULL }, |
| 59 | 59 |
| 60 { ngx_string("ssl_password_file"), | 60 { ngx_string("ssl_password_file"), |
| 61 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 61 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
| 62 ngx_stream_ssl_password_file, | 62 ngx_stream_ssl_password_file, |
| 173 | 173 |
| 174 /* | 174 /* |
| 175 * set by ngx_pcalloc(): | 175 * set by ngx_pcalloc(): |
| 176 * | 176 * |
| 177 * scf->protocols = 0; | 177 * scf->protocols = 0; |
| 178 * scf->certificate = { 0, NULL }; | |
| 179 * scf->certificate_key = { 0, NULL }; | |
| 180 * scf->dhparam = { 0, NULL }; | 178 * scf->dhparam = { 0, NULL }; |
| 181 * scf->ecdh_curve = { 0, NULL }; | 179 * scf->ecdh_curve = { 0, NULL }; |
| 182 * scf->ciphers = { 0, NULL }; | 180 * scf->ciphers = { 0, NULL }; |
| 183 * scf->shm_zone = NULL; | 181 * scf->shm_zone = NULL; |
| 184 */ | 182 */ |
| 185 | 183 |
| 186 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | 184 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; |
| 185 scf->certificates = NGX_CONF_UNSET_PTR; | |
| 186 scf->certificate_keys = NGX_CONF_UNSET_PTR; | |
| 187 scf->passwords = NGX_CONF_UNSET_PTR; | 187 scf->passwords = NGX_CONF_UNSET_PTR; |
| 188 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 188 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 189 scf->builtin_session_cache = NGX_CONF_UNSET; | 189 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 190 scf->session_timeout = NGX_CONF_UNSET; | 190 scf->session_timeout = NGX_CONF_UNSET; |
| 191 scf->session_tickets = NGX_CONF_UNSET; | 191 scf->session_tickets = NGX_CONF_UNSET; |
| 214 | 214 |
| 215 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 215 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
| 216 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 216 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
| 217 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | 217 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 218 | 218 |
| 219 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); | 219 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
| 220 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | 220 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
| 221 NULL); | |
| 221 | 222 |
| 222 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | 223 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
| 223 | 224 |
| 224 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 225 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
| 225 | 226 |
| 229 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 230 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 230 | 231 |
| 231 | 232 |
| 232 conf->ssl.log = cf->log; | 233 conf->ssl.log = cf->log; |
| 233 | 234 |
| 234 if (conf->certificate.len == 0) { | 235 if (conf->certificates == NULL) { |
| 235 return NGX_CONF_OK; | 236 return NGX_CONF_OK; |
| 236 } | 237 } |
| 237 | 238 |
| 238 if (conf->certificate_key.len == 0) { | 239 if (conf->certificate_keys == NULL |
| 240 || conf->certificate_keys->nelts < conf->certificates->nelts) | |
| 241 { | |
| 239 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 242 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 240 "no \"ssl_certificate_key\" is defined " | 243 "no \"ssl_certificate_key\" is defined " |
| 241 "for certificate \"%V\"", | 244 "for certificate \"%V\"", |
| 242 &conf->certificate); | 245 ((ngx_str_t *) conf->certificates->elts) |
| 246 + conf->certificates->nelts - 1); | |
| 243 return NGX_CONF_ERROR; | 247 return NGX_CONF_ERROR; |
| 244 } | 248 } |
| 245 | 249 |
| 246 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | 250 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
| 247 return NGX_CONF_ERROR; | 251 return NGX_CONF_ERROR; |
| 253 } | 257 } |
| 254 | 258 |
| 255 cln->handler = ngx_ssl_cleanup_ctx; | 259 cln->handler = ngx_ssl_cleanup_ctx; |
| 256 cln->data = &conf->ssl; | 260 cln->data = &conf->ssl; |
| 257 | 261 |
| 258 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | 262 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
| 259 &conf->certificate_key, conf->passwords) | 263 conf->certificate_keys, conf->passwords) |
| 260 != NGX_OK) | 264 != NGX_OK) |
| 261 { | 265 { |
| 262 return NGX_CONF_ERROR; | 266 return NGX_CONF_ERROR; |
| 263 } | 267 } |
| 264 | 268 |