Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4245:8d39230df833 stable-1.0
Merging r4034, r4186, r4187, r4229, r4235, r4237:
SSL related fixes:
*) Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).
As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.
Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.
Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
*) Disabling SSL compression. This saves about 300K per SSL connection.
The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.
*) Releasing memory of idle SSL connection. This saves about 34K per SSL
connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.
*) Decrease of log level of some SSL handshake errors.
*) Fixed segfault on configuration testing with ssl (ticket #37).
The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:
http {
ssl on;
server {
}
}
*) Silently ignoring a stale global SSL error left after disabled renegotiation.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Tue, 01 Nov 2011 13:00:30 +0000 |
parents | 718f2154b813 |
children | efd515ace6bb |
comparison
equal
deleted
inserted
replaced
4244:df9d3dd8cfc0 | 4245:8d39230df833 |
---|---|
344 ngx_http_ssl_srv_conf_t *prev = parent; | 344 ngx_http_ssl_srv_conf_t *prev = parent; |
345 ngx_http_ssl_srv_conf_t *conf = child; | 345 ngx_http_ssl_srv_conf_t *conf = child; |
346 | 346 |
347 ngx_pool_cleanup_t *cln; | 347 ngx_pool_cleanup_t *cln; |
348 | 348 |
349 ngx_conf_merge_value(conf->enable, prev->enable, 0); | 349 if (conf->enable == NGX_CONF_UNSET) { |
350 if (prev->enable == NGX_CONF_UNSET) { | |
351 conf->enable = 0; | |
352 | |
353 } else { | |
354 conf->enable = prev->enable; | |
355 conf->file = prev->file; | |
356 conf->line = prev->line; | |
357 } | |
358 } | |
350 | 359 |
351 ngx_conf_merge_value(conf->session_timeout, | 360 ngx_conf_merge_value(conf->session_timeout, |
352 prev->session_timeout, 300); | 361 prev->session_timeout, 300); |
353 | 362 |
354 ngx_conf_merge_value(conf->prefer_server_ciphers, | 363 ngx_conf_merge_value(conf->prefer_server_ciphers, |