Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 2123:9697407e9ecb
*) ssl_verify_client ask
*) test ssl_client_certificate for ssl_verify_client
*) $ssl_client_cert adds TAB before each line except first one
*) $ssl_client_raw_cert contains certificate as is
| author | Igor Sysoev <igor@sysoev.ru> |
|---|---|
| date | Tue, 29 Jul 2008 14:29:02 +0000 |
| parents | 2b11822b12d6 |
| children | e0b424b98f24 |
comparison
equal
deleted
inserted
replaced
| 2122:d090fa684433 | 2123:9697407e9ecb |
|---|---|
| 47 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | 47 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 48 { ngx_null_string, 0 } | 48 { ngx_null_string, 0 } |
| 49 }; | 49 }; |
| 50 | 50 |
| 51 | 51 |
| 52 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | |
| 53 { ngx_string("off"), 0 }, | |
| 54 { ngx_string("on"), 1 }, | |
| 55 { ngx_string("ask"), 2 }, | |
| 56 { ngx_null_string, 0 } | |
| 57 }; | |
| 58 | |
| 59 | |
| 52 static ngx_command_t ngx_http_ssl_commands[] = { | 60 static ngx_command_t ngx_http_ssl_commands[] = { |
| 53 | 61 |
| 54 { ngx_string("ssl"), | 62 { ngx_string("ssl"), |
| 55 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 63 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 56 ngx_conf_set_flag_slot, | 64 ngx_conf_set_flag_slot, |
| 93 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | 101 offsetof(ngx_http_ssl_srv_conf_t, ciphers), |
| 94 NULL }, | 102 NULL }, |
| 95 | 103 |
| 96 { ngx_string("ssl_verify_client"), | 104 { ngx_string("ssl_verify_client"), |
| 97 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 105 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 98 ngx_conf_set_flag_slot, | 106 ngx_conf_set_enum_slot, |
| 99 NGX_HTTP_SRV_CONF_OFFSET, | 107 NGX_HTTP_SRV_CONF_OFFSET, |
| 100 offsetof(ngx_http_ssl_srv_conf_t, verify), | 108 offsetof(ngx_http_ssl_srv_conf_t, verify), |
| 101 NULL }, | 109 &ngx_http_ssl_verify }, |
| 102 | 110 |
| 103 { ngx_string("ssl_verify_depth"), | 111 { ngx_string("ssl_verify_depth"), |
| 104 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | 112 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
| 105 ngx_conf_set_num_slot, | 113 ngx_conf_set_num_slot, |
| 106 NGX_HTTP_SRV_CONF_OFFSET, | 114 NGX_HTTP_SRV_CONF_OFFSET, |
| 183 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 191 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 184 | 192 |
| 185 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, | 193 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
| 186 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 194 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 187 | 195 |
| 196 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, | |
| 197 (uintptr_t) ngx_ssl_get_raw_certificate, | |
| 198 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
| 199 | |
| 188 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, | 200 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
| 189 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 201 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 190 | 202 |
| 191 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, | 203 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
| 192 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 204 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 305 * sscf->ciphers.data = NULL; | 317 * sscf->ciphers.data = NULL; |
| 306 * sscf->shm_zone = NULL; | 318 * sscf->shm_zone = NULL; |
| 307 */ | 319 */ |
| 308 | 320 |
| 309 sscf->enable = NGX_CONF_UNSET; | 321 sscf->enable = NGX_CONF_UNSET; |
| 322 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | |
| 310 sscf->verify = NGX_CONF_UNSET; | 323 sscf->verify = NGX_CONF_UNSET; |
| 311 sscf->verify_depth = NGX_CONF_UNSET; | 324 sscf->verify_depth = NGX_CONF_UNSET; |
| 312 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | |
| 313 sscf->builtin_session_cache = NGX_CONF_UNSET; | 325 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 314 sscf->session_timeout = NGX_CONF_UNSET; | 326 sscf->session_timeout = NGX_CONF_UNSET; |
| 315 | 327 |
| 316 return sscf; | 328 return sscf; |
| 317 } | 329 } |
| 339 | 351 |
| 340 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 352 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
| 341 (NGX_CONF_BITMASK_SET | 353 (NGX_CONF_BITMASK_SET |
| 342 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | 354 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); |
| 343 | 355 |
| 344 ngx_conf_merge_value(conf->verify, prev->verify, 0); | 356 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
| 345 ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1); | 357 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
| 346 | 358 |
| 347 ngx_conf_merge_str_value(conf->certificate, prev->certificate, | 359 ngx_conf_merge_str_value(conf->certificate, prev->certificate, |
| 348 NGX_DEFLAUT_CERTIFICATE); | 360 NGX_DEFLAUT_CERTIFICATE); |
| 349 | 361 |
| 350 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, | 362 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, |
| 400 "SSL_CTX_set_cipher_list(\"%V\") failed", | 412 "SSL_CTX_set_cipher_list(\"%V\") failed", |
| 401 &conf->ciphers); | 413 &conf->ciphers); |
| 402 } | 414 } |
| 403 | 415 |
| 404 if (conf->verify) { | 416 if (conf->verify) { |
| 417 | |
| 418 if (conf->client_certificate.len == 0) { | |
| 419 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 420 "no ssl_client_certificate for ssl_client_verify"); | |
| 421 return NGX_CONF_ERROR; | |
| 422 } | |
| 423 | |
| 405 if (ngx_ssl_client_certificate(cf, &conf->ssl, | 424 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
| 406 &conf->client_certificate, | 425 &conf->client_certificate, |
| 407 conf->verify_depth) | 426 conf->verify_depth) |
| 408 != NGX_OK) | 427 != NGX_OK) |
| 409 { | 428 { |