Mercurial > hg > nginx

diff src/http/modules/ngx_http_ssl_module.c @ 4041:f87edc142316 stable-1.0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge of r3960, r3961, r3962, r3963, r3965: SSL related fixes: *) MSIE export versions are rare now, so RSA 512 key is generated on demand and is shared among all hosts instead of pregenerating for every HTTPS host on configuraiton phase. This decreases start time for configuration with large number of HTTPS hosts. *) ECDHE support; patch by Adrian Kotelba *) fix build by gcc46 with -Wunused-value option *) fix SSL connection issues on platforms with 32-bit off_t *) do not try to reuse and save a SSL session for a peer created on the fly by ngx_http_upstream_create_round_robin_peer(), since the peer lives only during request so the saved SSL session will never be used again and just causes memory leak
author Igor Sysoev <igor@sysoev.ru>
date Mon, 29 Aug 2011 12:35:53 +0000
parents 1e90599af73b
children 718f2154b813
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -13,7 +13,8 @@ typedef ngx_int_t (*ngx_ssl_variable_han
     ngx_pool_t *pool, ngx_str_t *s);
 
 
-#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_ECDH_CURVE  "prime256v1"
 
 
 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
@@ -78,6 +79,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, dhparam),
       NULL },
 
+    { ngx_string("ssl_ecdh_curve"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -312,6 +320,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
      *     sscf->certificate = { 0, NULL };
      *     sscf->certificate_key = { 0, NULL };
      *     sscf->dhparam = { 0, NULL };
+     *     sscf->ecdh_curve = { 0, NULL };
      *     sscf->client_certificate = { 0, NULL };
      *     sscf->crl = { 0, NULL };
      *     sscf->ciphers = { 0, NULL };
@@ -360,6 +369,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
                          "");
     ngx_conf_merge_str_value(conf->crl, prev->crl, "");
 
+    ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
+                         NGX_DEFAULT_ECDH_CURVE);
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
 
@@ -465,11 +477,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
     }
 
     /* a temporary 512-bit RSA key is required for export versions of MSIE */
-    if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
+    SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+
+    if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
 
-    if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
         return NGX_CONF_ERROR;
     }