Mercurial > hg > nginx
comparison src/mail/ngx_mail_ssl_module.c @ 5503:d049b0ea00a3
SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.
If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
| author | Dirkjan Bussink <d.bussink@gmail.com> |
|---|---|
| date | Fri, 10 Jan 2014 16:12:40 +0100 |
| parents | 1356a3b96924 |
| children | 42114bf12da0 |
comparison
equal
deleted
inserted
replaced
| 5502:4aa64f695031 | 5503:d049b0ea00a3 |
|---|---|
| 112 { ngx_string("ssl_session_cache"), | 112 { ngx_string("ssl_session_cache"), |
| 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, | 113 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
| 114 ngx_mail_ssl_session_cache, | 114 ngx_mail_ssl_session_cache, |
| 115 NGX_MAIL_SRV_CONF_OFFSET, | 115 NGX_MAIL_SRV_CONF_OFFSET, |
| 116 0, | 116 0, |
| 117 NULL }, | |
| 118 | |
| 119 { ngx_string("ssl_session_tickets"), | |
| 120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, | |
| 121 ngx_conf_set_flag_slot, | |
| 122 NGX_MAIL_SRV_CONF_OFFSET, | |
| 123 offsetof(ngx_mail_ssl_conf_t, session_tickets), | |
| 117 NULL }, | 124 NULL }, |
| 118 | 125 |
| 119 { ngx_string("ssl_session_ticket_key"), | 126 { ngx_string("ssl_session_ticket_key"), |
| 120 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 127 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
| 121 ngx_conf_set_str_array_slot, | 128 ngx_conf_set_str_array_slot, |
| 189 scf->enable = NGX_CONF_UNSET; | 196 scf->enable = NGX_CONF_UNSET; |
| 190 scf->starttls = NGX_CONF_UNSET_UINT; | 197 scf->starttls = NGX_CONF_UNSET_UINT; |
| 191 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 198 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 192 scf->builtin_session_cache = NGX_CONF_UNSET; | 199 scf->builtin_session_cache = NGX_CONF_UNSET; |
| 193 scf->session_timeout = NGX_CONF_UNSET; | 200 scf->session_timeout = NGX_CONF_UNSET; |
| 201 scf->session_tickets = NGX_CONF_UNSET; | |
| 194 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 202 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 195 | 203 |
| 196 return scf; | 204 return scf; |
| 197 } | 205 } |
| 198 | 206 |
| 337 != NGX_OK) | 345 != NGX_OK) |
| 338 { | 346 { |
| 339 return NGX_CONF_ERROR; | 347 return NGX_CONF_ERROR; |
| 340 } | 348 } |
| 341 | 349 |
| 350 ngx_conf_merge_value(conf->session_tickets, | |
| 351 prev->session_tickets, 1); | |
| 352 | |
| 353 #ifdef SSL_OP_NO_TICKET | |
| 354 if (!conf->session_tickets) { | |
| 355 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
| 356 } | |
| 357 #endif | |
| 358 | |
| 342 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | 359 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
| 343 prev->session_ticket_keys, NULL); | 360 prev->session_ticket_keys, NULL); |
| 344 | 361 |
| 345 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | 362 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
| 346 != NGX_OK) | 363 != NGX_OK) |