Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 7269:7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.
In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 24 Apr 2018 15:29:01 +0300 |
parents | 9d14931cec8c |
children | e970de27966a |
comparison
equal
deleted
inserted
replaced
7268:0d8c72ff62dd | 7269:7f955d3b9a0d |
---|---|
302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | 302 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); |
303 | 303 |
304 if (c->ssl == NULL) { | 304 if (c->ssl == NULL) { |
305 c->log->action = "SSL handshaking"; | 305 c->log->action = "SSL handshaking"; |
306 | 306 |
307 if (sslcf->ssl.ctx == NULL) { | |
308 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
309 "no \"ssl_certificate\" is defined " | |
310 "in server listening on SSL port"); | |
311 return NGX_ERROR; | |
312 } | |
313 | |
314 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); | 307 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
315 | 308 |
316 if (rv != NGX_OK) { | 309 if (rv != NGX_OK) { |
317 return rv; | 310 return rv; |
318 } | 311 } |
508 } | 501 } |
509 | 502 |
510 /* | 503 /* |
511 * set by ngx_pcalloc(): | 504 * set by ngx_pcalloc(): |
512 * | 505 * |
506 * scf->listen = 0; | |
513 * scf->protocols = 0; | 507 * scf->protocols = 0; |
514 * scf->dhparam = { 0, NULL }; | 508 * scf->dhparam = { 0, NULL }; |
515 * scf->ecdh_curve = { 0, NULL }; | 509 * scf->ecdh_curve = { 0, NULL }; |
516 * scf->client_certificate = { 0, NULL }; | 510 * scf->client_certificate = { 0, NULL }; |
517 * scf->trusted_certificate = { 0, NULL }; | 511 * scf->trusted_certificate = { 0, NULL }; |
580 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 574 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
581 | 575 |
582 | 576 |
583 conf->ssl.log = cf->log; | 577 conf->ssl.log = cf->log; |
584 | 578 |
579 if (!conf->listen) { | |
580 return NGX_CONF_OK; | |
581 } | |
582 | |
585 if (conf->certificates == NULL) { | 583 if (conf->certificates == NULL) { |
586 return NGX_CONF_OK; | 584 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
587 } | 585 "no \"ssl_certificate\" is defined for " |
588 | 586 "the \"listen ... ssl\" directive in %s:%ui", |
589 if (conf->certificate_keys == NULL | 587 conf->file, conf->line); |
590 || conf->certificate_keys->nelts < conf->certificates->nelts) | 588 return NGX_CONF_ERROR; |
591 { | 589 } |
590 | |
591 if (conf->certificate_keys == NULL) { | |
592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
593 "no \"ssl_certificate_key\" is defined for " | |
594 "the \"listen ... ssl\" directive in %s:%ui", | |
595 conf->file, conf->line); | |
596 return NGX_CONF_ERROR; | |
597 } | |
598 | |
599 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | |
592 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 600 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
593 "no \"ssl_certificate_key\" is defined " | 601 "no \"ssl_certificate_key\" is defined " |
594 "for certificate \"%V\"", | 602 "for certificate \"%V\" and " |
603 "the \"listen ... ssl\" directive in %s:%ui", | |
595 ((ngx_str_t *) conf->certificates->elts) | 604 ((ngx_str_t *) conf->certificates->elts) |
596 + conf->certificates->nelts - 1); | 605 + conf->certificates->nelts - 1, |
606 conf->file, conf->line); | |
597 return NGX_CONF_ERROR; | 607 return NGX_CONF_ERROR; |
598 } | 608 } |
599 | 609 |
600 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | 610 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
601 return NGX_CONF_ERROR; | 611 return NGX_CONF_ERROR; |