Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 4245:8d39230df833 stable-1.0
Merging r4034, r4186, r4187, r4229, r4235, r4237:
SSL related fixes:
*) Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).
As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.
Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.
Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
*) Disabling SSL compression. This saves about 300K per SSL connection.
The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.
*) Releasing memory of idle SSL connection. This saves about 34K per SSL
connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.
*) Decrease of log level of some SSL handshake errors.
*) Fixed segfault on configuration testing with ssl (ticket #37).
The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:
http {
ssl on;
server {
}
}
*) Silently ignoring a stale global SSL error left after disabled renegotiation.
| author | Igor Sysoev <igor@sysoev.ru> |
|---|---|
| date | Tue, 01 Nov 2011 13:00:30 +0000 |
| parents | 88369902edb1 |
| children | fd40c9ef750d |
comparison
equal
deleted
inserted
replaced
| 4244:df9d3dd8cfc0 | 4245:8d39230df833 |
|---|---|
| 173 | 173 |
| 174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 174 if (ngx_ssl_protocols[protocols >> 1] != 0) { |
| 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
| 176 } | 176 } |
| 177 | 177 |
| 178 #ifdef SSL_OP_NO_COMPRESSION | |
| 179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); | |
| 180 #endif | |
| 181 | |
| 182 #ifdef SSL_MODE_RELEASE_BUFFERS | |
| 183 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); | |
| 184 #endif | |
| 185 | |
| 178 SSL_CTX_set_read_ahead(ssl->ctx, 1); | 186 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
| 179 | 187 |
| 180 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); | 188 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
| 181 | 189 |
| 182 return NGX_OK; | 190 return NGX_OK; |
| 853 * renegotiation gracefully, so drop connection here | 861 * renegotiation gracefully, so drop connection here |
| 854 */ | 862 */ |
| 855 | 863 |
| 856 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); | 864 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
| 857 | 865 |
| 866 while (ERR_peek_error()) { | |
| 867 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, | |
| 868 "ignoring stale global SSL error"); | |
| 869 } | |
| 870 | |
| 871 ERR_clear_error(); | |
| 872 | |
| 858 c->ssl->no_wait_shutdown = 1; | 873 c->ssl->no_wait_shutdown = 1; |
| 859 c->ssl->no_send_shutdown = 1; | 874 c->ssl->no_send_shutdown = 1; |
| 860 | 875 |
| 861 return NGX_ERROR; | 876 return NGX_ERROR; |
| 862 } | 877 } |
| 1342 } else if (sslerr == SSL_ERROR_SSL) { | 1357 } else if (sslerr == SSL_ERROR_SSL) { |
| 1343 | 1358 |
| 1344 n = ERR_GET_REASON(ERR_peek_error()); | 1359 n = ERR_GET_REASON(ERR_peek_error()); |
| 1345 | 1360 |
| 1346 /* handshake failures */ | 1361 /* handshake failures */ |
| 1347 if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ | 1362 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
| 1363 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ | |
| 1348 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ | 1364 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
| 1365 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ | |
| 1366 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ | |
| 1349 || n == SSL_R_LENGTH_MISMATCH /* 159 */ | 1367 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
| 1350 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ | 1368 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
| 1351 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ | 1369 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
| 1370 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ | |
| 1352 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ | 1371 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
| 1353 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ | 1372 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
| 1373 #ifdef SSL_R_PARSE_TLSEXT | |
| 1374 || n == SSL_R_PARSE_TLSEXT /* 227 */ | |
| 1375 #endif | |
| 1354 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ | 1376 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
| 1355 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ | 1377 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
| 1356 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ | 1378 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
| 1357 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ | 1379 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
| 1358 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ | 1380 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
| 1359 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ | 1381 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
| 1382 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG | |
| 1383 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ | |
| 1384 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ | |
| 1385 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ | |
| 1386 #endif | |
| 1387 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED | |
| 1388 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ | |
| 1389 #endif | |
| 1390 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING | |
| 1391 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ | |
| 1392 #endif | |
| 1360 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | 1393 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
| 1361 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ | 1394 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
| 1362 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ | 1395 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
| 1363 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ | 1396 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
| 1364 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ | 1397 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |