Mercurial > hg > nginx

comparison src/stream/ngx_stream_ssl_module.c @ 7269:7f955d3b9a0d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: detect "listen ... ssl" without certificates (ticket #178). In mail and stream modules, no certificate provided is a fatal condition, much like with the "ssl" and "starttls" directives. In http, "listen ... ssl" can be used in a non-default server without certificates as long as there is a certificate in the default one, so missing certificate is only fatal for default servers.
author Maxim Dounin <mdounin@mdounin.ru>
date Tue, 24 Apr 2018 15:29:01 +0300
parents 9d14931cec8c
children e970de27966a
comparison
equal deleted inserted replaced
7268:0d8c72ff62dd 7269:7f955d3b9a0d
302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); 302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
303 303
304 if (c->ssl == NULL) { 304 if (c->ssl == NULL) {
305 c->log->action = "SSL handshaking"; 305 c->log->action = "SSL handshaking";
306 306
307 if (sslcf->ssl.ctx == NULL) {
308 ngx_log_error(NGX_LOG_ERR, c->log, 0,
309 "no \"ssl_certificate\" is defined "
310 "in server listening on SSL port");
311 return NGX_ERROR;
312 }
313
314 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); 307 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c);
315 308
316 if (rv != NGX_OK) { 309 if (rv != NGX_OK) {
317 return rv; 310 return rv;
318 } 311 }
508 } 501 }
509 502
510 /* 503 /*
511 * set by ngx_pcalloc(): 504 * set by ngx_pcalloc():
512 * 505 *
506 * scf->listen = 0;
513 * scf->protocols = 0; 507 * scf->protocols = 0;
514 * scf->dhparam = { 0, NULL }; 508 * scf->dhparam = { 0, NULL };
515 * scf->ecdh_curve = { 0, NULL }; 509 * scf->ecdh_curve = { 0, NULL };
516 * scf->client_certificate = { 0, NULL }; 510 * scf->client_certificate = { 0, NULL };
517 * scf->trusted_certificate = { 0, NULL }; 511 * scf->trusted_certificate = { 0, NULL };
580 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 574 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
581 575
582 576
583 conf->ssl.log = cf->log; 577 conf->ssl.log = cf->log;
584 578
579 if (!conf->listen) {
580 return NGX_CONF_OK;
581 }
582
585 if (conf->certificates == NULL) { 583 if (conf->certificates == NULL) {
586 return NGX_CONF_OK; 584 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
587 } 585 "no \"ssl_certificate\" is defined for "
588 586 "the \"listen ... ssl\" directive in %s:%ui",
589 if (conf->certificate_keys == NULL 587 conf->file, conf->line);
590 || conf->certificate_keys->nelts < conf->certificates->nelts) 588 return NGX_CONF_ERROR;
591 { 589 }
590
591 if (conf->certificate_keys == NULL) {
592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
593 "no \"ssl_certificate_key\" is defined for "
594 "the \"listen ... ssl\" directive in %s:%ui",
595 conf->file, conf->line);
596 return NGX_CONF_ERROR;
597 }
598
599 if (conf->certificate_keys->nelts < conf->certificates->nelts) {
592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, 600 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
593 "no \"ssl_certificate_key\" is defined " 601 "no \"ssl_certificate_key\" is defined "
594 "for certificate \"%V\"", 602 "for certificate \"%V\" and "
603 "the \"listen ... ssl\" directive in %s:%ui",
595 ((ngx_str_t *) conf->certificates->elts) 604 ((ngx_str_t *) conf->certificates->elts)
596 + conf->certificates->nelts - 1); 605 + conf->certificates->nelts - 1,
606 conf->file, conf->line);
597 return NGX_CONF_ERROR; 607 return NGX_CONF_ERROR;
598 } 608 }
599 609
600 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { 610 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
601 return NGX_CONF_ERROR; 611 return NGX_CONF_ERROR;