Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 547:818fbd4750b9 release-0.2.2
nginx-0.2.2-RELEASE import
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Fri, 30 Sep 2005 14:41:25 +0000 |
parents | 511a89da35ad |
children | 9c2f3ed7a247 |
comparison
equal
deleted
inserted
replaced
546:a292162e6680 | 547:818fbd4750b9 |
---|---|
6 | 6 |
7 #include <ngx_config.h> | 7 #include <ngx_config.h> |
8 #include <ngx_core.h> | 8 #include <ngx_core.h> |
9 #include <ngx_http.h> | 9 #include <ngx_http.h> |
10 | 10 |
11 | |
12 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" | 11 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" |
13 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 12 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
13 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | |
14 | 14 |
15 | 15 |
16 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); | 16 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
17 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, | 17 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
18 void *parent, void *child); | 18 void *parent, void *child); |
19 | 19 |
20 | 20 |
21 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | |
22 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
23 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
24 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
25 { ngx_null_string, 0 } | |
26 }; | |
27 | |
28 | |
21 static ngx_command_t ngx_http_ssl_commands[] = { | 29 static ngx_command_t ngx_http_ssl_commands[] = { |
22 | 30 |
23 { ngx_string("ssl"), | 31 { ngx_string("ssl"), |
24 NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 32 NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
25 ngx_conf_set_flag_slot, | 33 ngx_conf_set_flag_slot, |
39 ngx_conf_set_str_slot, | 47 ngx_conf_set_str_slot, |
40 NGX_HTTP_SRV_CONF_OFFSET, | 48 NGX_HTTP_SRV_CONF_OFFSET, |
41 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), | 49 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
42 NULL }, | 50 NULL }, |
43 | 51 |
52 { ngx_string("ssl_protocols"), | |
53 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
54 ngx_conf_set_bitmask_slot, | |
55 NGX_HTTP_SRV_CONF_OFFSET, | |
56 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
57 &ngx_http_ssl_protocols }, | |
58 | |
44 { ngx_string("ssl_ciphers"), | 59 { ngx_string("ssl_ciphers"), |
45 NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 60 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
46 ngx_conf_set_str_slot, | 61 ngx_conf_set_str_slot, |
47 NGX_HTTP_SRV_CONF_OFFSET, | 62 NGX_HTTP_SRV_CONF_OFFSET, |
48 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | 63 offsetof(ngx_http_ssl_srv_conf_t, ciphers), |
64 NULL }, | |
65 | |
66 { ngx_string("ssl_prefer_server_ciphers"), | |
67 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
68 ngx_conf_set_flag_slot, | |
69 NGX_HTTP_SRV_CONF_OFFSET, | |
70 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
49 NULL }, | 71 NULL }, |
50 | 72 |
51 ngx_null_command | 73 ngx_null_command |
52 }; | 74 }; |
53 | 75 |
97 } | 119 } |
98 | 120 |
99 /* | 121 /* |
100 * set by ngx_pcalloc(): | 122 * set by ngx_pcalloc(): |
101 * | 123 * |
124 * scf->protocols = 0; | |
125 | |
102 * scf->certificate.len = 0; | 126 * scf->certificate.len = 0; |
103 * scf->certificate.data = NULL; | 127 * scf->certificate.data = NULL; |
104 * scf->certificate_key.len = 0; | 128 * scf->certificate_key.len = 0; |
105 * scf->certificate_key.data = NULL; | 129 * scf->certificate_key.data = NULL; |
106 * scf->ciphers.len = 0; | 130 * scf->ciphers.len = 0; |
107 * scf->ciphers.data = NULL; | 131 * scf->ciphers.data = NULL; |
108 */ | 132 */ |
109 | 133 |
110 scf->enable = NGX_CONF_UNSET; | 134 scf->enable = NGX_CONF_UNSET; |
135 scf->prefer_server_ciphers = NGX_CONF_UNSET; | |
111 | 136 |
112 return scf; | 137 return scf; |
113 } | 138 } |
114 | 139 |
115 | 140 |
123 | 148 |
124 if (conf->enable == 0) { | 149 if (conf->enable == 0) { |
125 return NGX_CONF_OK; | 150 return NGX_CONF_OK; |
126 } | 151 } |
127 | 152 |
153 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
154 prev->prefer_server_ciphers, 0); | |
155 | |
156 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
157 (NGX_CONF_BITMASK_SET | |
158 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
159 | |
128 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 160 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
129 NGX_DEFLAUT_CERTIFICATE); | 161 NGX_DEFLAUT_CERTIFICATE); |
130 | 162 |
131 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 163 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
132 NGX_DEFLAUT_CERTIFICATE_KEY); | 164 NGX_DEFLAUT_CERTIFICATE_KEY); |
133 | 165 |
134 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); | 166 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
135 | 167 |
136 | 168 |
137 /* TODO: configure methods */ | 169 conf->ssl.log = cf->log; |
138 | 170 |
139 conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); | 171 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { |
140 | 172 return NGX_CONF_ERROR; |
141 if (conf->ssl_ctx == NULL) { | 173 } |
142 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); | 174 |
143 return NGX_CONF_ERROR; | 175 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) |
144 } | |
145 | |
146 if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) | |
147 == NULL) | |
148 { | 176 { |
149 return NGX_CONF_ERROR; | 177 return NGX_CONF_ERROR; |
150 } | 178 } |
151 | 179 |
152 | 180 if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, |
153 if (conf->ciphers.len) { | 181 conf->certificate_key.data) != NGX_OK) |
154 if (SSL_CTX_set_cipher_list(conf->ssl_ctx, | 182 { |
155 (const char *) conf->ciphers.data) == 0) | 183 return NGX_CONF_ERROR; |
156 { | 184 } |
157 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 185 |
158 "SSL_CTX_set_cipher_list(\"%V\") failed", | 186 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
159 &conf->ciphers); | 187 (const char *) conf->ciphers.data) == 0) |
160 } | |
161 } | |
162 | |
163 if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, | |
164 (char *) conf->certificate.data) == 0) | |
165 { | 188 { |
166 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 189 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
167 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", | 190 "SSL_CTX_set_cipher_list(\"%V\") failed", |
168 conf->certificate.data); | 191 &conf->ciphers); |
169 return NGX_CONF_ERROR; | 192 } |
170 } | 193 |
171 | 194 if (conf->prefer_server_ciphers) { |
172 if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, | 195 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
173 (char *) conf->certificate_key.data, | 196 } |
174 SSL_FILETYPE_PEM) == 0) | 197 |
175 { | 198 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
176 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 199 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
177 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", | 200 return NGX_CONF_ERROR; |
178 conf->certificate_key.data); | 201 } |
179 return NGX_CONF_ERROR; | 202 |
180 } | 203 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); |
181 | 204 |
182 SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); | 205 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, |
183 | |
184 SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
185 | |
186 SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); | |
187 | |
188 SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); | |
189 | |
190 SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx, | |
191 sizeof(ngx_http_session_id_ctx) - 1); | 206 sizeof(ngx_http_session_id_ctx) - 1); |
192 | 207 |
193 return NGX_CONF_OK; | 208 return NGX_CONF_OK; |
194 } | 209 } |
195 | |
196 | |
197 #if 0 | |
198 | |
199 /* how to enumrate server' configs */ | |
200 | |
201 static ngx_int_t | |
202 ngx_http_ssl_init_process(ngx_cycle_t *cycle) | |
203 { | |
204 ngx_uint_t i; | |
205 ngx_http_ssl_srv_conf_t *sscf; | |
206 ngx_http_core_srv_conf_t **cscfp; | |
207 ngx_http_core_main_conf_t *cmcf; | |
208 | |
209 cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); | |
210 | |
211 cscfp = cmcf->servers.elts; | |
212 | |
213 for (i = 0; i < cmcf->servers.nelts; i++) { | |
214 sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
215 | |
216 if (sscf->enable) { | |
217 cscfp[i]->recv = ngx_ssl_recv; | |
218 cscfp[i]->send_chain = ngx_ssl_send_chain; | |
219 } | |
220 } | |
221 | |
222 return NGX_OK; | |
223 } | |
224 | |
225 #endif |