Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 6816:ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".
The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers(). It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session. As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 05 Dec 2016 22:23:23 +0300 |
| parents | 2d15fff64e3c |
| children | e75e854657ba |
comparison
equal
deleted
inserted
replaced
| 6815:2d15fff64e3c | 6816:ea93c7d8752a |
|---|---|
| 3292 return NGX_OK; | 3292 return NGX_OK; |
| 3293 } | 3293 } |
| 3294 | 3294 |
| 3295 | 3295 |
| 3296 ngx_int_t | 3296 ngx_int_t |
| 3297 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
| 3298 { | |
| 3299 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST | |
| 3300 | |
| 3301 int n, i, bytes; | |
| 3302 size_t len; | |
| 3303 u_char *ciphers, *p; | |
| 3304 const SSL_CIPHER *cipher; | |
| 3305 | |
| 3306 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); | |
| 3307 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); | |
| 3308 | |
| 3309 if (n <= 0) { | |
| 3310 s->len = 0; | |
| 3311 return NGX_OK; | |
| 3312 } | |
| 3313 | |
| 3314 len = 0; | |
| 3315 n /= bytes; | |
| 3316 | |
| 3317 for (i = 0; i < n; i++) { | |
| 3318 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); | |
| 3319 | |
| 3320 if (cipher) { | |
| 3321 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); | |
| 3322 | |
| 3323 } else { | |
| 3324 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); | |
| 3325 } | |
| 3326 | |
| 3327 len += sizeof(":") - 1; | |
| 3328 } | |
| 3329 | |
| 3330 s->data = ngx_pnalloc(pool, len); | |
| 3331 if (s->data == NULL) { | |
| 3332 return NGX_ERROR; | |
| 3333 } | |
| 3334 | |
| 3335 p = s->data; | |
| 3336 | |
| 3337 for (i = 0; i < n; i++) { | |
| 3338 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); | |
| 3339 | |
| 3340 if (cipher) { | |
| 3341 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); | |
| 3342 | |
| 3343 } else { | |
| 3344 p = ngx_sprintf(p, "0x"); | |
| 3345 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); | |
| 3346 } | |
| 3347 | |
| 3348 *p++ = ':'; | |
| 3349 } | |
| 3350 | |
| 3351 p--; | |
| 3352 | |
| 3353 s->len = p - s->data; | |
| 3354 | |
| 3355 #else | |
| 3356 | |
| 3357 u_char buf[4096]; | |
| 3358 | |
| 3359 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) | |
| 3360 == NULL) | |
| 3361 { | |
| 3362 s->len = 0; | |
| 3363 return NGX_OK; | |
| 3364 } | |
| 3365 | |
| 3366 s->len = ngx_strlen(buf); | |
| 3367 s->data = ngx_pnalloc(pool, s->len); | |
| 3368 if (s->data == NULL) { | |
| 3369 return NGX_ERROR; | |
| 3370 } | |
| 3371 | |
| 3372 ngx_memcpy(s->data, buf, s->len); | |
| 3373 | |
| 3374 #endif | |
| 3375 | |
| 3376 return NGX_OK; | |
| 3377 } | |
| 3378 | |
| 3379 | |
| 3380 ngx_int_t | |
| 3297 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | 3381 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 3298 { | 3382 { |
| 3299 u_char *buf; | 3383 u_char *buf; |
| 3300 SSL_SESSION *sess; | 3384 SSL_SESSION *sess; |
| 3301 unsigned int len; | 3385 unsigned int len; |