Mercurial > hg > nginx

view src/mail/ngx_mail_ssl_module.h @ 7459:982008fbc4ba

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error(). The "(SSL:)" snippet currently appears in logs when nginx code uses ngx_ssl_error() to log an error, but OpenSSL's error queue is empty. This can happen either because the error wasn't in fact from OpenSSL, or because OpenSSL did not indicate the error in the error queue for some reason. In particular, currently "(SSL:)" can be seen in errors at least in the following cases: - When SSL_write() fails due to a syscall error, "[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...". - When loading a certificate with no data in it, "[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)". This can easily happen due to an additional empty line before the end line, so all lines of the certificate are interpreted as header lines. - When trying to configure an unknown curve, "[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)". Likely there are other cases as well. With this change, "(SSL:...)" will be only added to the error message if there is something in the error queue. This is expected to make logs more readable in the above cases. Additionally, with this change it is now possible to use ngx_ssl_error() to log errors when some of the possible errors are not from OpenSSL and not expected to have anything in the error queue.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 25 Feb 2019 16:41:15 +0300
parents 7f955d3b9a0d
children 3bff3f397c05
line wrap: on
line source


/*
 * Copyright (C) Igor Sysoev
 * Copyright (C) Nginx, Inc.
 */


#ifndef _NGX_MAIL_SSL_H_INCLUDED_
#define _NGX_MAIL_SSL_H_INCLUDED_


#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_mail.h>


#define NGX_MAIL_STARTTLS_OFF   0
#define NGX_MAIL_STARTTLS_ON    1
#define NGX_MAIL_STARTTLS_ONLY  2


typedef struct {
    ngx_flag_t       enable;
    ngx_flag_t       prefer_server_ciphers;

    ngx_ssl_t        ssl;

    ngx_uint_t       starttls;
    ngx_uint_t       listen;
    ngx_uint_t       protocols;

    ngx_uint_t       verify;
    ngx_uint_t       verify_depth;

    ssize_t          builtin_session_cache;

    time_t           session_timeout;

    ngx_array_t     *certificates;
    ngx_array_t     *certificate_keys;

    ngx_str_t        dhparam;
    ngx_str_t        ecdh_curve;
    ngx_str_t        client_certificate;
    ngx_str_t        trusted_certificate;
    ngx_str_t        crl;

    ngx_str_t        ciphers;

    ngx_array_t     *passwords;

    ngx_shm_zone_t  *shm_zone;

    ngx_flag_t       session_tickets;
    ngx_array_t     *session_ticket_keys;

    u_char          *file;
    ngx_uint_t       line;
} ngx_mail_ssl_conf_t;


extern ngx_module_t  ngx_mail_ssl_module;


#endif /* _NGX_MAIL_SSL_H_INCLUDED_ */