Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 8869:e5a17d6041bd quic
Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
In particular, this fixes rejecting "listen .. quic|http3" configurations
without TLSv1.3 configured.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 29 Sep 2021 15:01:53 +0300 |
parents | fac88e160653 |
children | 61d0fa67b55e |
comparison
equal
deleted
inserted
replaced
8868:5a2080d48da8 | 8869:e5a17d6041bd |
---|---|
1383 | 1383 |
1384 cscf = addr[a].default_server; | 1384 cscf = addr[a].default_server; |
1385 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1385 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
1386 | 1386 |
1387 if (sscf->certificates) { | 1387 if (sscf->certificates) { |
1388 | |
1389 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | |
1390 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
1391 "\"ssl_protocols\" must enable TLSv1.3 for " | |
1392 "the \"listen ... %s\" directive in %s:%ui", | |
1393 name, cscf->file_name, cscf->line); | |
1394 return NGX_ERROR; | |
1395 } | |
1396 | |
1388 continue; | 1397 continue; |
1389 } | 1398 } |
1390 | 1399 |
1391 if (!sscf->reject_handshake) { | 1400 if (!sscf->reject_handshake) { |
1392 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
1393 "no \"ssl_certificate\" is defined for " | |
1394 "the \"listen ... ssl\" directive in %s:%ui", | |
1395 cscf->file_name, cscf->line); | |
1396 return NGX_ERROR; | |
1397 } | |
1398 | |
1399 /* | |
1400 * if no certificates are defined in the default server, | |
1401 * check all non-default server blocks | |
1402 */ | |
1403 | |
1404 cscfp = addr[a].servers.elts; | |
1405 for (s = 0; s < addr[a].servers.nelts; s++) { | |
1406 | |
1407 cscf = cscfp[s]; | |
1408 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
1409 | |
1410 if (sscf->certificates || sscf->reject_handshake) { | |
1411 continue; | |
1412 } | |
1413 | |
1414 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1401 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
1415 "no \"ssl_certificate\" is defined for " | 1402 "no \"ssl_certificate\" is defined for " |
1416 "the \"listen ... %s\" directive in %s:%ui", | 1403 "the \"listen ... %s\" directive in %s:%ui", |
1417 name, cscf->file_name, cscf->line); | 1404 name, cscf->file_name, cscf->line); |
1418 return NGX_ERROR; | 1405 return NGX_ERROR; |
1419 } | 1406 } |
1420 | 1407 |
1421 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | 1408 /* |
1409 * if no certificates are defined in the default server, | |
1410 * check all non-default server blocks | |
1411 */ | |
1412 | |
1413 cscfp = addr[a].servers.elts; | |
1414 for (s = 0; s < addr[a].servers.nelts; s++) { | |
1415 | |
1416 cscf = cscfp[s]; | |
1417 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
1418 | |
1419 if (sscf->certificates || sscf->reject_handshake) { | |
1420 continue; | |
1421 } | |
1422 | |
1422 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1423 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
1423 "\"ssl_protocols\" did not enable TLSv1.3 for " | 1424 "no \"ssl_certificate\" is defined for " |
1424 "the \"listen ... %s\" directives in %s:%ui", | 1425 "the \"listen ... %s\" directive in %s:%ui", |
1425 name, cscf->file_name, cscf->line); | 1426 name, cscf->file_name, cscf->line); |
1426 return NGX_ERROR; | 1427 return NGX_ERROR; |
1427 } | 1428 } |
1428 } | 1429 } |
1429 } | 1430 } |