Mercurial > hg > nginx

changeset 7905:13d0c1d26d47

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134). This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to the mail proxy auth protocol when SSL is enabled. This can be useful for detecting users using older clients that negotiate old ciphers when you want to upgrade to newer TLS versions of remove suppport for old and insecure ciphers. You can use your auth backend to notify these users before the upgrade that they either need to upgrade their client software or contact your support team to work out an upgrade path.
author Rob Mueller <robm@fastmail.fm>
date Fri, 13 Aug 2021 03:57:47 -0400
parents 419c066cb710
children 058a67435e83
files src/mail/ngx_mail_auth_http_module.c
diffstat 1 files changed, 39 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1137,8 +1137,8 @@ ngx_mail_auth_http_create_request(ngx_ma
     ngx_str_t                  login, passwd;
     ngx_connection_t          *c;
 #if (NGX_MAIL_SSL)
-    ngx_str_t                  verify, subject, issuer, serial, fingerprint,
-                               raw_cert, cert;
+    ngx_str_t                  protocol, cipher, verify, subject, issuer,
+                               serial, fingerprint, raw_cert, cert;
     ngx_mail_ssl_conf_t       *sslcf;
 #endif
     ngx_mail_core_srv_conf_t  *cscf;
@@ -1155,6 +1155,25 @@ ngx_mail_auth_http_create_request(ngx_ma
 
 #if (NGX_MAIL_SSL)
 
+    if (c->ssl) {
+
+        if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) {
+            return NULL;
+        }
+
+        protocol.len = ngx_strlen(protocol.data);
+
+        if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) {
+            return NULL;
+        }
+
+        cipher.len = ngx_strlen(cipher.data);
+
+    } else {
+        ngx_str_null(&protocol);
+        ngx_str_null(&cipher);
+    }
+
     sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
 
     if (c->ssl && sslcf->verify) {
@@ -1252,6 +1271,10 @@ ngx_mail_auth_http_create_request(ngx_ma
 
     if (c->ssl) {
         len += sizeof("Auth-SSL: on" CRLF) - 1
+               + sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len
+                     + sizeof(CRLF) - 1
+               + sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len
+                     + sizeof(CRLF) - 1
                + sizeof("Auth-SSL-Verify: ") - 1 + verify.len
                      + sizeof(CRLF) - 1
                + sizeof("Auth-SSL-Subject: ") - 1 + subject.len
@@ -1373,6 +1396,20 @@ ngx_mail_auth_http_create_request(ngx_ma
         b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
                              sizeof("Auth-SSL: on" CRLF) - 1);
 
+        if (protocol.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ",
+                                 sizeof("Auth-SSL-Protocol: ") - 1);
+            b->last = ngx_copy(b->last, protocol.data, protocol.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (cipher.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ",
+                                 sizeof("Auth-SSL-Cipher: ") - 1);
+            b->last = ngx_copy(b->last, cipher.data, cipher.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
         if (verify.len) {
             b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
                                  sizeof("Auth-SSL-Verify: ") - 1);