Mercurial > hg > nginx
comparison src/mail/ngx_mail_ssl_module.c @ 4041:f87edc142316 stable-1.0
Merge of r3960, r3961, r3962, r3963, r3965:
SSL related fixes:
*) MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
*) ECDHE support; patch by Adrian Kotelba
*) fix build by gcc46 with -Wunused-value option
*) fix SSL connection issues on platforms with 32-bit off_t
*) do not try to reuse and save a SSL session for a peer created on the fly
by ngx_http_upstream_create_round_robin_peer(), since the peer lives
only during request so the saved SSL session will never be used again
and just causes memory leak
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 29 Aug 2011 12:35:53 +0000 |
parents | 1e90599af73b |
children | 718f2154b813 |
comparison
equal
deleted
inserted
replaced
4040:0094c8636d5f | 4041:f87edc142316 |
---|---|
7 #include <ngx_config.h> | 7 #include <ngx_config.h> |
8 #include <ngx_core.h> | 8 #include <ngx_core.h> |
9 #include <ngx_mail.h> | 9 #include <ngx_mail.h> |
10 | 10 |
11 | 11 |
12 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 12 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
13 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
13 | 14 |
14 | 15 |
15 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); | 16 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
16 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | 17 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); |
17 | 18 |
73 { ngx_string("ssl_dhparam"), | 74 { ngx_string("ssl_dhparam"), |
74 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
75 ngx_conf_set_str_slot, | 76 ngx_conf_set_str_slot, |
76 NGX_MAIL_SRV_CONF_OFFSET, | 77 NGX_MAIL_SRV_CONF_OFFSET, |
77 offsetof(ngx_mail_ssl_conf_t, dhparam), | 78 offsetof(ngx_mail_ssl_conf_t, dhparam), |
79 NULL }, | |
80 | |
81 { ngx_string("ssl_ecdh_curve"), | |
82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
83 ngx_conf_set_str_slot, | |
84 NGX_MAIL_SRV_CONF_OFFSET, | |
85 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
78 NULL }, | 86 NULL }, |
79 | 87 |
80 { ngx_string("ssl_protocols"), | 88 { ngx_string("ssl_protocols"), |
81 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, | 89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
82 ngx_conf_set_bitmask_slot, | 90 ngx_conf_set_bitmask_slot, |
161 * | 169 * |
162 * scf->protocols = 0; | 170 * scf->protocols = 0; |
163 * scf->certificate = { 0, NULL }; | 171 * scf->certificate = { 0, NULL }; |
164 * scf->certificate_key = { 0, NULL }; | 172 * scf->certificate_key = { 0, NULL }; |
165 * scf->dhparam = { 0, NULL }; | 173 * scf->dhparam = { 0, NULL }; |
174 * scf->ecdh_curve = { 0, NULL }; | |
166 * scf->ciphers = { 0, NULL }; | 175 * scf->ciphers = { 0, NULL }; |
167 * scf->shm_zone = NULL; | 176 * scf->shm_zone = NULL; |
168 */ | 177 */ |
169 | 178 |
170 scf->enable = NGX_CONF_UNSET; | 179 scf->enable = NGX_CONF_UNSET; |
201 | 210 |
202 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); | 211 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
203 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | 212 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); |
204 | 213 |
205 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 214 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
215 | |
216 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | |
217 NGX_DEFAULT_ECDH_CURVE); | |
206 | 218 |
207 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 219 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
208 | 220 |
209 | 221 |
210 conf->ssl.log = cf->log; | 222 conf->ssl.log = cf->log; |
284 | 296 |
285 if (conf->prefer_server_ciphers) { | 297 if (conf->prefer_server_ciphers) { |
286 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 298 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
287 } | 299 } |
288 | 300 |
289 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 301 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
290 return NGX_CONF_ERROR; | |
291 } | |
292 | 302 |
293 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 303 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
294 return NGX_CONF_ERROR; | 304 return NGX_CONF_ERROR; |
295 } | 305 } |
296 | 306 |