Mercurial > hg > nginx
diff src/imap/ngx_imap_ssl_module.c @ 547:818fbd4750b9 release-0.2.2
nginx-0.2.2-RELEASE import
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
| author | Igor Sysoev <igor@sysoev.ru> |
|---|---|
| date | Fri, 30 Sep 2005 14:41:25 +0000 |
| parents | 511a89da35ad |
| children | 9c2f3ed7a247 |
line wrap: on
line diff
--- a/src/imap/ngx_imap_ssl_module.c +++ b/src/imap/ngx_imap_ssl_module.c @@ -11,12 +11,21 @@ #define NGX_DEFLAUT_CERTIFICATE "cert.pem" #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" +#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf); static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); +static ngx_conf_bitmask_t ngx_imap_ssl_protocols[] = { + { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, + { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, + { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_imap_ssl_commands[] = { { ngx_string("ssl"), @@ -40,6 +49,13 @@ static ngx_command_t ngx_imap_ssl_comma offsetof(ngx_imap_ssl_conf_t, certificate_key), NULL }, + { ngx_string("ssl_protocols"), + NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_bitmask_slot, + NGX_IMAP_SRV_CONF_OFFSET, + offsetof(ngx_imap_ssl_conf_t, protocols), + &ngx_imap_ssl_protocols }, + { ngx_string("ssl_ciphers"), NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -47,6 +63,13 @@ static ngx_command_t ngx_imap_ssl_comma offsetof(ngx_imap_ssl_conf_t, ciphers), NULL }, + { ngx_string("ssl_prefer_server_ciphers"), + NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_IMAP_SRV_CONF_OFFSET, + offsetof(ngx_imap_ssl_conf_t, prefer_server_ciphers), + NULL }, + ngx_null_command }; @@ -92,6 +115,8 @@ ngx_imap_ssl_create_conf(ngx_conf_t *cf) /* * set by ngx_pcalloc(): * + * scf->protocols = 0; + * * scf->certificate.len = 0; * scf->certificate.data = NULL; * scf->certificate_key.len = 0; @@ -101,6 +126,7 @@ ngx_imap_ssl_create_conf(ngx_conf_t *cf) */ scf->enable = NGX_CONF_UNSET; + scf->prefer_server_ciphers = NGX_CONF_UNSET; return scf; } @@ -118,39 +144,41 @@ ngx_imap_ssl_merge_conf(ngx_conf_t *cf, return NGX_CONF_OK; } + ngx_conf_merge_value(conf->prefer_server_ciphers, + prev->prefer_server_ciphers, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, + (NGX_CONF_BITMASK_SET + |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); + ngx_conf_merge_str_value(conf->certificate, prev->certificate, NGX_DEFLAUT_CERTIFICATE); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, NGX_DEFLAUT_CERTIFICATE_KEY); - ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); + ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); - /* TODO: configure methods */ + conf->ssl.log = cf->log; - conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); - - if (conf->ssl_ctx == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); + if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { return NGX_CONF_ERROR; } - if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) - == NULL) + if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) { return NGX_CONF_ERROR; } - -#if 0 - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_SINGLE_DH_USE); -#endif + if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, + conf->certificate_key.data) != NGX_OK) + { + return NGX_CONF_ERROR; + } if (conf->ciphers.len) { - if (SSL_CTX_set_cipher_list(conf->ssl_ctx, + if (SSL_CTX_set_cipher_list(conf->ssl.ctx, (const char *) conf->ciphers.data) == 0) { ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, @@ -159,35 +187,13 @@ ngx_imap_ssl_merge_conf(ngx_conf_t *cf, } } - if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, - (char *) conf->certificate.data) == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_certificate_chain_file(\"%s\") failed", - conf->certificate.data); + if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { return NGX_CONF_ERROR; } + SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); - if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, - (char *) conf->certificate_key.data, - SSL_FILETYPE_PEM) == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", - conf->certificate_key.data); - return NGX_CONF_ERROR; - } - - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); - - SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); - - SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); - - SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); - - SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_imap_session_id_ctx, + SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_imap_session_id_ctx, sizeof(ngx_imap_session_id_ctx) - 1); return NGX_CONF_OK;