Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4041:f87edc142316 stable-1.0
Merge of r3960, r3961, r3962, r3963, r3965:
SSL related fixes:
*) MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
*) ECDHE support; patch by Adrian Kotelba
*) fix build by gcc46 with -Wunused-value option
*) fix SSL connection issues on platforms with 32-bit off_t
*) do not try to reuse and save a SSL session for a peer created on the fly
by ngx_http_upstream_create_round_robin_peer(), since the peer lives
only during request so the saved SSL session will never be used again
and just causes memory leak
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 29 Aug 2011 12:35:53 +0000 |
parents | 1e90599af73b |
children | 718f2154b813 |
comparison
equal
deleted
inserted
replaced
4040:0094c8636d5f | 4041:f87edc142316 |
---|---|
11 | 11 |
12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, | 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
13 ngx_pool_t *pool, ngx_str_t *s); | 13 ngx_pool_t *pool, ngx_str_t *s); |
14 | 14 |
15 | 15 |
16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 16 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
17 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
17 | 18 |
18 | 19 |
19 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 20 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
20 ngx_http_variable_value_t *v, uintptr_t data); | 21 ngx_http_variable_value_t *v, uintptr_t data); |
21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 22 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
74 { ngx_string("ssl_dhparam"), | 75 { ngx_string("ssl_dhparam"), |
75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 76 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
76 ngx_conf_set_str_slot, | 77 ngx_conf_set_str_slot, |
77 NGX_HTTP_SRV_CONF_OFFSET, | 78 NGX_HTTP_SRV_CONF_OFFSET, |
78 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | 79 offsetof(ngx_http_ssl_srv_conf_t, dhparam), |
80 NULL }, | |
81 | |
82 { ngx_string("ssl_ecdh_curve"), | |
83 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
84 ngx_conf_set_str_slot, | |
85 NGX_HTTP_SRV_CONF_OFFSET, | |
86 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
79 NULL }, | 87 NULL }, |
80 | 88 |
81 { ngx_string("ssl_protocols"), | 89 { ngx_string("ssl_protocols"), |
82 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | 90 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
83 ngx_conf_set_bitmask_slot, | 91 ngx_conf_set_bitmask_slot, |
310 * | 318 * |
311 * sscf->protocols = 0; | 319 * sscf->protocols = 0; |
312 * sscf->certificate = { 0, NULL }; | 320 * sscf->certificate = { 0, NULL }; |
313 * sscf->certificate_key = { 0, NULL }; | 321 * sscf->certificate_key = { 0, NULL }; |
314 * sscf->dhparam = { 0, NULL }; | 322 * sscf->dhparam = { 0, NULL }; |
323 * sscf->ecdh_curve = { 0, NULL }; | |
315 * sscf->client_certificate = { 0, NULL }; | 324 * sscf->client_certificate = { 0, NULL }; |
316 * sscf->crl = { 0, NULL }; | 325 * sscf->crl = { 0, NULL }; |
317 * sscf->ciphers = { 0, NULL }; | 326 * sscf->ciphers = { 0, NULL }; |
318 * sscf->shm_zone = NULL; | 327 * sscf->shm_zone = NULL; |
319 */ | 328 */ |
357 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 366 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
358 | 367 |
359 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 368 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
360 ""); | 369 ""); |
361 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | 370 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
371 | |
372 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | |
373 NGX_DEFAULT_ECDH_CURVE); | |
362 | 374 |
363 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 375 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
364 | 376 |
365 | 377 |
366 conf->ssl.log = cf->log; | 378 conf->ssl.log = cf->log; |
463 if (conf->prefer_server_ciphers) { | 475 if (conf->prefer_server_ciphers) { |
464 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 476 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
465 } | 477 } |
466 | 478 |
467 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | 479 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
468 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 480 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
481 | |
482 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | |
469 return NGX_CONF_ERROR; | 483 return NGX_CONF_ERROR; |
470 } | 484 } |
471 | 485 |
472 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 486 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
473 return NGX_CONF_ERROR; | 487 return NGX_CONF_ERROR; |
474 } | 488 } |
475 | 489 |
476 ngx_conf_merge_value(conf->builtin_session_cache, | 490 ngx_conf_merge_value(conf->builtin_session_cache, |
477 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | 491 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |