Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 5503:d049b0ea00a3
SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.
If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
| author | Dirkjan Bussink <d.bussink@gmail.com> |
|---|---|
| date | Fri, 10 Jan 2014 16:12:40 +0100 |
| parents | a297b7ad6f94 |
| children | 8ed467553f6b |
comparison
equal
deleted
inserted
replaced
| 5502:4aa64f695031 | 5503:d049b0ea00a3 |
|---|---|
| 156 { ngx_string("ssl_session_cache"), | 156 { ngx_string("ssl_session_cache"), |
| 157 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | 157 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, |
| 158 ngx_http_ssl_session_cache, | 158 ngx_http_ssl_session_cache, |
| 159 NGX_HTTP_SRV_CONF_OFFSET, | 159 NGX_HTTP_SRV_CONF_OFFSET, |
| 160 0, | 160 0, |
| 161 NULL }, | |
| 162 | |
| 163 { ngx_string("ssl_session_tickets"), | |
| 164 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
| 165 ngx_conf_set_flag_slot, | |
| 166 NGX_HTTP_SRV_CONF_OFFSET, | |
| 167 offsetof(ngx_http_ssl_srv_conf_t, session_tickets), | |
| 161 NULL }, | 168 NULL }, |
| 162 | 169 |
| 163 { ngx_string("ssl_session_ticket_key"), | 170 { ngx_string("ssl_session_ticket_key"), |
| 164 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 171 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
| 165 ngx_conf_set_str_array_slot, | 172 ngx_conf_set_str_array_slot, |
| 434 sscf->buffer_size = NGX_CONF_UNSET_SIZE; | 441 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
| 435 sscf->verify = NGX_CONF_UNSET_UINT; | 442 sscf->verify = NGX_CONF_UNSET_UINT; |
| 436 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 443 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
| 437 sscf->builtin_session_cache = NGX_CONF_UNSET; | 444 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 438 sscf->session_timeout = NGX_CONF_UNSET; | 445 sscf->session_timeout = NGX_CONF_UNSET; |
| 446 sscf->session_tickets = NGX_CONF_UNSET; | |
| 439 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 447 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 440 sscf->stapling = NGX_CONF_UNSET; | 448 sscf->stapling = NGX_CONF_UNSET; |
| 441 sscf->stapling_verify = NGX_CONF_UNSET; | 449 sscf->stapling_verify = NGX_CONF_UNSET; |
| 442 | 450 |
| 443 return sscf; | 451 return sscf; |
| 642 != NGX_OK) | 650 != NGX_OK) |
| 643 { | 651 { |
| 644 return NGX_CONF_ERROR; | 652 return NGX_CONF_ERROR; |
| 645 } | 653 } |
| 646 | 654 |
| 655 ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1); | |
| 656 | |
| 657 #ifdef SSL_OP_NO_TICKET | |
| 658 if (!conf->session_tickets) { | |
| 659 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
| 660 } | |
| 661 #endif | |
| 662 | |
| 647 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | 663 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
| 648 prev->session_ticket_keys, NULL); | 664 prev->session_ticket_keys, NULL); |
| 649 | 665 |
| 650 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | 666 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
| 651 != NGX_OK) | 667 != NGX_OK) |