Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 647:95d7da23ea53 release-0.3.45
nginx-0.3.45-RELEASE import
*) Feature: the "ssl_verify_client", "ssl_verify_depth", and
"ssl_client_certificate" directives.
*) Change: the $request_method variable now returns the main request
method.
*) Change: the ° symbol codes were changed in koi-win conversion
table.
*) Feature: the euro and N symbols were added to koi-win conversion
table.
*) Bugfix: if nginx distributed the requests among several backends and
some backend failed, then requests intended for this backend was
directed to one live backend only instead of being distributed among
the rest.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Sat, 06 May 2006 16:28:56 +0000 |
parents | e60fe4cf1d4e |
children | 63a820b0bc6c |
comparison
equal
deleted
inserted
replaced
646:f198dec3e3af | 647:95d7da23ea53 |
---|---|
16 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 16 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
17 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | 17 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" |
18 | 18 |
19 | 19 |
20 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 20 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
21 ngx_http_variable_value_t *v, uintptr_t data); | |
22 static ngx_int_t ngx_http_ssl_client_s_dn(ngx_http_request_t *r, | |
23 ngx_http_variable_value_t *v, uintptr_t data); | |
24 static ngx_int_t ngx_http_ssl_client_i_dn(ngx_http_request_t *r, | |
21 ngx_http_variable_value_t *v, uintptr_t data); | 25 ngx_http_variable_value_t *v, uintptr_t data); |
22 | 26 |
23 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | 27 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); |
24 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); | 28 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
25 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, | 29 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
41 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | 45 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
42 { ngx_null_string, 0 } | 46 { ngx_null_string, 0 } |
43 }; | 47 }; |
44 | 48 |
45 | 49 |
46 | |
47 static ngx_command_t ngx_http_ssl_commands[] = { | 50 static ngx_command_t ngx_http_ssl_commands[] = { |
48 | 51 |
49 { ngx_string("ssl"), | 52 { ngx_string("ssl"), |
50 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 53 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
51 ngx_conf_set_flag_slot, | 54 ngx_conf_set_flag_slot, |
77 { ngx_string("ssl_ciphers"), | 80 { ngx_string("ssl_ciphers"), |
78 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 81 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
79 ngx_conf_set_str_slot, | 82 ngx_conf_set_str_slot, |
80 NGX_HTTP_SRV_CONF_OFFSET, | 83 NGX_HTTP_SRV_CONF_OFFSET, |
81 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | 84 offsetof(ngx_http_ssl_srv_conf_t, ciphers), |
85 NULL }, | |
86 | |
87 { ngx_string("ssl_verify_client"), | |
88 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
89 ngx_conf_set_flag_slot, | |
90 NGX_HTTP_SRV_CONF_OFFSET, | |
91 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
92 NULL }, | |
93 | |
94 { ngx_string("ssl_verify_depth"), | |
95 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
96 ngx_conf_set_num_slot, | |
97 NGX_HTTP_SRV_CONF_OFFSET, | |
98 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
99 NULL }, | |
100 | |
101 { ngx_string("ssl_client_certificate"), | |
102 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
103 ngx_conf_set_str_slot, | |
104 NGX_HTTP_SRV_CONF_OFFSET, | |
105 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
82 NULL }, | 106 NULL }, |
83 | 107 |
84 { ngx_string("ssl_prefer_server_ciphers"), | 108 { ngx_string("ssl_prefer_server_ciphers"), |
85 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 109 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
86 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | 110 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
140 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, | 164 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, |
141 | 165 |
142 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable, | 166 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable, |
143 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, | 167 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, |
144 | 168 |
169 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_client_s_dn, | |
170 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | |
171 | |
172 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_client_i_dn, | |
173 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | |
174 | |
145 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 175 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
146 }; | 176 }; |
147 | 177 |
148 | 178 |
149 static u_char ngx_http_session_id_ctx[] = "HTTP"; | 179 static u_char ngx_http_session_id_ctx[] = "HTTP"; |
178 return NGX_OK; | 208 return NGX_OK; |
179 } | 209 } |
180 | 210 |
181 | 211 |
182 static ngx_int_t | 212 static ngx_int_t |
213 ngx_http_ssl_client_s_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, | |
214 uintptr_t data) | |
215 { | |
216 if (r->connection->ssl) { | |
217 if (ngx_ssl_get_subject_dn(r->connection, r->pool, (ngx_str_t *) v) | |
218 != NGX_OK) | |
219 { | |
220 return NGX_ERROR; | |
221 } | |
222 | |
223 if (v->len) { | |
224 v->valid = 1; | |
225 v->no_cachable = 0; | |
226 v->not_found = 0; | |
227 | |
228 return NGX_OK; | |
229 } | |
230 } | |
231 | |
232 v->not_found = 1; | |
233 | |
234 return NGX_OK; | |
235 } | |
236 | |
237 | |
238 static ngx_int_t | |
239 ngx_http_ssl_client_i_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, | |
240 uintptr_t data) | |
241 { | |
242 if (r->connection->ssl) { | |
243 if (ngx_ssl_get_issuer_dn(r->connection, r->pool, (ngx_str_t *) v) | |
244 != NGX_OK) | |
245 { | |
246 return NGX_ERROR; | |
247 } | |
248 | |
249 if (v->len) { | |
250 v->valid = 1; | |
251 v->no_cachable = 0; | |
252 v->not_found = 0; | |
253 | |
254 return NGX_OK; | |
255 } | |
256 } | |
257 | |
258 v->not_found = 1; | |
259 | |
260 return NGX_OK; | |
261 } | |
262 | |
263 | |
264 static ngx_int_t | |
183 ngx_http_ssl_add_variables(ngx_conf_t *cf) | 265 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
184 { | 266 { |
185 ngx_http_variable_t *var, *v; | 267 ngx_http_variable_t *var, *v; |
186 | 268 |
187 for (v = ngx_http_ssl_vars; v->name.len; v++) { | 269 for (v = ngx_http_ssl_vars; v->name.len; v++) { |
215 | 297 |
216 * scf->certificate.len = 0; | 298 * scf->certificate.len = 0; |
217 * scf->certificate.data = NULL; | 299 * scf->certificate.data = NULL; |
218 * scf->certificate_key.len = 0; | 300 * scf->certificate_key.len = 0; |
219 * scf->certificate_key.data = NULL; | 301 * scf->certificate_key.data = NULL; |
302 * scf->client_certificate.len = 0; | |
303 * scf->client_certificate.data = NULL; | |
220 * scf->ciphers.len = 0; | 304 * scf->ciphers.len = 0; |
221 * scf->ciphers.data = NULL; | 305 * scf->ciphers.data = NULL; |
222 */ | 306 */ |
223 | 307 |
224 scf->enable = NGX_CONF_UNSET; | 308 scf->enable = NGX_CONF_UNSET; |
225 scf->session_timeout = NGX_CONF_UNSET; | 309 scf->session_timeout = NGX_CONF_UNSET; |
310 scf->verify = NGX_CONF_UNSET; | |
311 scf->verify_depth = NGX_CONF_UNSET; | |
226 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 312 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
227 | 313 |
228 return scf; | 314 return scf; |
229 } | 315 } |
230 | 316 |
251 | 337 |
252 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 338 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
253 (NGX_CONF_BITMASK_SET | 339 (NGX_CONF_BITMASK_SET |
254 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | 340 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); |
255 | 341 |
342 ngx_conf_merge_value(conf->verify, prev->verify, 0); | |
343 ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1); | |
344 | |
256 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 345 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
257 NGX_DEFLAUT_CERTIFICATE); | 346 NGX_DEFLAUT_CERTIFICATE); |
258 | 347 |
259 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 348 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
260 NGX_DEFLAUT_CERTIFICATE_KEY); | 349 NGX_DEFLAUT_CERTIFICATE_KEY); |
350 | |
351 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | |
352 ""); | |
261 | 353 |
262 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); | 354 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
263 | 355 |
264 | 356 |
265 conf->ssl.log = cf->log; | 357 conf->ssl.log = cf->log; |
289 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, | 381 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
290 "SSL_CTX_set_cipher_list(\"%V\") failed", | 382 "SSL_CTX_set_cipher_list(\"%V\") failed", |
291 &conf->ciphers); | 383 &conf->ciphers); |
292 } | 384 } |
293 | 385 |
386 if (conf->verify) { | |
387 SSL_CTX_set_verify(conf->ssl.ctx, NGX_SSL_VERIFY, NULL); | |
388 | |
389 SSL_CTX_set_verify_depth(conf->ssl.ctx, conf->verify_depth); | |
390 | |
391 if (conf->client_certificate.len) { | |
392 if (ngx_ssl_client_certificate(cf, &conf->ssl, | |
393 &conf->client_certificate) | |
394 != NGX_OK) | |
395 { | |
396 return NGX_CONF_ERROR; | |
397 } | |
398 } | |
399 } | |
400 | |
294 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | 401 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
295 | 402 |
296 if (conf->prefer_server_ciphers) { | 403 if (conf->prefer_server_ciphers) { |
297 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 404 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
298 } | 405 } |