Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.c @ 7729:3bff3f397c05
SSL: ssl_conf_command directive.
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later. Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):
ssl_conf_command Options PrioritizeChaCha;
It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:00:22 +0300 |
parents | ef7ee19776db |
children | 7ce28b4cc57e |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_stream.h> | |
11 | |
12 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
14 ngx_pool_t *pool, ngx_str_t *s); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
15 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
16 |
6115 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
6115 | 19 |
20 | |
6693 | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | |
23 ngx_connection_t *c); | |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
27 #endif |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
28 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
30 #endif |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
32 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
33 static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
34 ngx_stream_variable_value_t *v, uintptr_t data); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
35 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
36 static ngx_int_t ngx_stream_ssl_add_variables(ngx_conf_t *cf); |
6115 | 37 static void *ngx_stream_ssl_create_conf(ngx_conf_t *cf); |
38 static char *ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, | |
39 void *child); | |
40 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
41 static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
42 ngx_stream_ssl_conf_t *conf); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
43 |
6115 | 44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
45 void *conf); | |
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
47 void *conf); | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
48 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
49 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
50 void *data); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
51 |
6693 | 52 static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf); |
6115 | 53 |
54 | |
55 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = { | |
56 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
57 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
58 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
59 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
60 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6871
diff
changeset
|
61 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
6115 | 62 { ngx_null_string, 0 } |
63 }; | |
64 | |
65 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
66 static ngx_conf_enum_t ngx_stream_ssl_verify[] = { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
67 { ngx_string("off"), 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
68 { ngx_string("on"), 1 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
69 { ngx_string("optional"), 2 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
70 { ngx_string("optional_no_ca"), 3 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
71 { ngx_null_string, 0 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
72 }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
73 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
74 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
75 static ngx_conf_post_t ngx_stream_ssl_conf_command_post = |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
76 { ngx_stream_ssl_conf_command_check }; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
77 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
78 |
6115 | 79 static ngx_command_t ngx_stream_ssl_commands[] = { |
80 | |
81 { ngx_string("ssl_handshake_timeout"), | |
82 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
83 ngx_conf_set_msec_slot, | |
84 NGX_STREAM_SRV_CONF_OFFSET, | |
85 offsetof(ngx_stream_ssl_conf_t, handshake_timeout), | |
86 NULL }, | |
87 | |
88 { ngx_string("ssl_certificate"), | |
89 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
90 ngx_conf_set_str_array_slot, |
6115 | 91 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
92 offsetof(ngx_stream_ssl_conf_t, certificates), |
6115 | 93 NULL }, |
94 | |
95 { ngx_string("ssl_certificate_key"), | |
96 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
97 ngx_conf_set_str_array_slot, |
6115 | 98 NGX_STREAM_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
99 offsetof(ngx_stream_ssl_conf_t, certificate_keys), |
6115 | 100 NULL }, |
101 | |
102 { ngx_string("ssl_password_file"), | |
103 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
104 ngx_stream_ssl_password_file, | |
105 NGX_STREAM_SRV_CONF_OFFSET, | |
106 0, | |
107 NULL }, | |
108 | |
109 { ngx_string("ssl_dhparam"), | |
110 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
111 ngx_conf_set_str_slot, | |
112 NGX_STREAM_SRV_CONF_OFFSET, | |
113 offsetof(ngx_stream_ssl_conf_t, dhparam), | |
114 NULL }, | |
115 | |
116 { ngx_string("ssl_ecdh_curve"), | |
117 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
118 ngx_conf_set_str_slot, | |
119 NGX_STREAM_SRV_CONF_OFFSET, | |
120 offsetof(ngx_stream_ssl_conf_t, ecdh_curve), | |
121 NULL }, | |
122 | |
123 { ngx_string("ssl_protocols"), | |
124 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
125 ngx_conf_set_bitmask_slot, | |
126 NGX_STREAM_SRV_CONF_OFFSET, | |
127 offsetof(ngx_stream_ssl_conf_t, protocols), | |
128 &ngx_stream_ssl_protocols }, | |
129 | |
130 { ngx_string("ssl_ciphers"), | |
131 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
132 ngx_conf_set_str_slot, | |
133 NGX_STREAM_SRV_CONF_OFFSET, | |
134 offsetof(ngx_stream_ssl_conf_t, ciphers), | |
135 NULL }, | |
136 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
137 { ngx_string("ssl_verify_client"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
138 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
139 ngx_conf_set_enum_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
140 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
141 offsetof(ngx_stream_ssl_conf_t, verify), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
142 &ngx_stream_ssl_verify }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
143 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
144 { ngx_string("ssl_verify_depth"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
145 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
146 ngx_conf_set_num_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
147 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
148 offsetof(ngx_stream_ssl_conf_t, verify_depth), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
149 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
150 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
151 { ngx_string("ssl_client_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
152 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
153 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
154 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
155 offsetof(ngx_stream_ssl_conf_t, client_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
156 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
157 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
158 { ngx_string("ssl_trusted_certificate"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
159 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
160 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
161 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
162 offsetof(ngx_stream_ssl_conf_t, trusted_certificate), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
163 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
164 |
6115 | 165 { ngx_string("ssl_prefer_server_ciphers"), |
166 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
167 ngx_conf_set_flag_slot, | |
168 NGX_STREAM_SRV_CONF_OFFSET, | |
169 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers), | |
170 NULL }, | |
171 | |
172 { ngx_string("ssl_session_cache"), | |
173 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12, | |
174 ngx_stream_ssl_session_cache, | |
175 NGX_STREAM_SRV_CONF_OFFSET, | |
176 0, | |
177 NULL }, | |
178 | |
179 { ngx_string("ssl_session_tickets"), | |
180 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, | |
181 ngx_conf_set_flag_slot, | |
182 NGX_STREAM_SRV_CONF_OFFSET, | |
183 offsetof(ngx_stream_ssl_conf_t, session_tickets), | |
184 NULL }, | |
185 | |
186 { ngx_string("ssl_session_ticket_key"), | |
187 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
188 ngx_conf_set_str_array_slot, | |
189 NGX_STREAM_SRV_CONF_OFFSET, | |
190 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys), | |
191 NULL }, | |
192 | |
193 { ngx_string("ssl_session_timeout"), | |
194 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | |
195 ngx_conf_set_sec_slot, | |
196 NGX_STREAM_SRV_CONF_OFFSET, | |
197 offsetof(ngx_stream_ssl_conf_t, session_timeout), | |
198 NULL }, | |
199 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
200 { ngx_string("ssl_crl"), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
201 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
202 ngx_conf_set_str_slot, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
203 NGX_STREAM_SRV_CONF_OFFSET, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
204 offsetof(ngx_stream_ssl_conf_t, crl), |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
205 NULL }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
206 |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
207 { ngx_string("ssl_conf_command"), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
208 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
209 ngx_conf_set_keyval_slot, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
210 NGX_STREAM_SRV_CONF_OFFSET, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
211 offsetof(ngx_stream_ssl_conf_t, conf_commands), |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
212 &ngx_stream_ssl_conf_command_post }, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
213 |
6115 | 214 ngx_null_command |
215 }; | |
216 | |
217 | |
218 static ngx_stream_module_t ngx_stream_ssl_module_ctx = { | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
219 ngx_stream_ssl_add_variables, /* preconfiguration */ |
6693 | 220 ngx_stream_ssl_init, /* postconfiguration */ |
6174
68c106e6fa0a
Stream: added postconfiguration method to stream modules.
Vladimir Homutov <vl@nginx.com>
parents:
6157
diff
changeset
|
221 |
6115 | 222 NULL, /* create main configuration */ |
223 NULL, /* init main configuration */ | |
224 | |
225 ngx_stream_ssl_create_conf, /* create server configuration */ | |
226 ngx_stream_ssl_merge_conf /* merge server configuration */ | |
227 }; | |
228 | |
229 | |
230 ngx_module_t ngx_stream_ssl_module = { | |
231 NGX_MODULE_V1, | |
232 &ngx_stream_ssl_module_ctx, /* module context */ | |
233 ngx_stream_ssl_commands, /* module directives */ | |
234 NGX_STREAM_MODULE, /* module type */ | |
235 NULL, /* init master */ | |
236 NULL, /* init module */ | |
237 NULL, /* init process */ | |
238 NULL, /* init thread */ | |
239 NULL, /* exit thread */ | |
240 NULL, /* exit process */ | |
241 NULL, /* exit master */ | |
242 NGX_MODULE_V1_PADDING | |
243 }; | |
244 | |
245 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
246 static ngx_stream_variable_t ngx_stream_ssl_vars[] = { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
247 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
248 { ngx_string("ssl_protocol"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
249 (uintptr_t) ngx_ssl_get_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
250 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
251 { ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
252 (uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
253 |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
254 { ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
255 (uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6693
diff
changeset
|
256 |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
257 { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
258 (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
259 |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
260 { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
261 (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
262 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
263 { ngx_string("ssl_session_reused"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
264 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
265 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
266 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
267 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
268 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
269 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
270 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
271 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
272 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
273 (uintptr_t) ngx_ssl_get_raw_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
274 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
275 |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
276 { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
277 (uintptr_t) ngx_ssl_get_escaped_certificate, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
278 NGX_STREAM_VAR_CHANGEABLE, 0 }, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7077
diff
changeset
|
279 |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
280 { ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
281 (uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
282 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
283 { ngx_string("ssl_client_i_dn"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
284 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
285 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
286 { ngx_string("ssl_client_serial"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
287 (uintptr_t) ngx_ssl_get_serial_number, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
288 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
289 { ngx_string("ssl_client_fingerprint"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
290 (uintptr_t) ngx_ssl_get_fingerprint, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
291 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
292 { ngx_string("ssl_client_verify"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
293 (uintptr_t) ngx_ssl_get_client_verify, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
294 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
295 { ngx_string("ssl_client_v_start"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
296 (uintptr_t) ngx_ssl_get_client_v_start, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
297 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
298 { ngx_string("ssl_client_v_end"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
299 (uintptr_t) ngx_ssl_get_client_v_end, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
300 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
301 { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
302 (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
303 |
7077
2a288909abc6
Variables: macros for null variables.
Ruslan Ermilov <ru@nginx.com>
parents:
7009
diff
changeset
|
304 ngx_stream_null_variable |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
305 }; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
306 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
307 |
6115 | 308 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM"); |
309 | |
310 | |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
311 static ngx_int_t |
6693 | 312 ngx_stream_ssl_handler(ngx_stream_session_t *s) |
313 { | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
314 long rc; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
315 X509 *cert; |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
316 ngx_int_t rv; |
6693 | 317 ngx_connection_t *c; |
318 ngx_stream_ssl_conf_t *sslcf; | |
319 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
320 if (!s->ssl) { |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
321 return NGX_OK; |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
322 } |
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
323 |
6693 | 324 c = s->connection; |
325 | |
326 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
327 | |
6870
0a08a8babf53
Stream: fixed handling of non-ssl sessions.
Vladimir Homutov <vl@nginx.com>
parents:
6850
diff
changeset
|
328 if (c->ssl == NULL) { |
6693 | 329 c->log->action = "SSL handshaking"; |
330 | |
6871
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
331 rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
332 |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
333 if (rv != NGX_OK) { |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
334 return rv; |
1818acd8442f
Stream: client SSL certificates were not checked in some cases.
Vladimir Homutov <vl@nginx.com>
parents:
6870
diff
changeset
|
335 } |
6693 | 336 } |
337 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
338 if (sslcf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
339 rc = SSL_get_verify_result(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
340 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
341 if (rc != X509_V_OK |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
342 && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
343 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
344 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
345 "client SSL certificate verify error: (%l:%s)", |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
346 rc, X509_verify_cert_error_string(rc)); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
347 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
348 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
349 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
350 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
351 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
352 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
353 if (sslcf->verify == 1) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
354 cert = SSL_get_peer_certificate(c->ssl->connection); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
355 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
356 if (cert == NULL) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
357 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
358 "client sent no required SSL certificate"); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
359 |
7193
9d14931cec8c
SSL: using default server context in session remove (closes #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7091
diff
changeset
|
360 ngx_ssl_remove_cached_session(c->ssl->session_ctx, |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
361 (SSL_get0_session(c->ssl->connection))); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
362 return NGX_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
363 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
364 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
365 X509_free(cert); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
366 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
367 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
368 |
6693 | 369 return NGX_OK; |
370 } | |
371 | |
372 | |
373 static ngx_int_t | |
374 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) | |
375 { | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
376 ngx_int_t rc; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
377 ngx_stream_session_t *s; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
378 ngx_stream_ssl_conf_t *sslcf; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
379 ngx_stream_core_srv_conf_t *cscf; |
6693 | 380 |
381 s = c->data; | |
382 | |
7008
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
383 cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
384 |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
385 if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
386 return NGX_ERROR; |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
387 } |
29c6d66b83ba
SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6981
diff
changeset
|
388 |
7009
03444167a3bb
Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7008
diff
changeset
|
389 if (ngx_ssl_create_connection(ssl, c, 0) != NGX_OK) { |
6693 | 390 return NGX_ERROR; |
391 } | |
392 | |
393 rc = ngx_ssl_handshake(c); | |
394 | |
395 if (rc == NGX_ERROR) { | |
396 return NGX_ERROR; | |
397 } | |
398 | |
399 if (rc == NGX_AGAIN) { | |
400 sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); | |
401 | |
402 ngx_add_timer(c->read, sslcf->handshake_timeout); | |
403 | |
404 c->ssl->handler = ngx_stream_ssl_handshake_handler; | |
405 | |
406 return NGX_AGAIN; | |
407 } | |
408 | |
409 /* rc == NGX_OK */ | |
410 | |
411 return NGX_OK; | |
412 } | |
413 | |
414 | |
415 static void | |
416 ngx_stream_ssl_handshake_handler(ngx_connection_t *c) | |
417 { | |
418 ngx_stream_session_t *s; | |
419 | |
420 s = c->data; | |
421 | |
422 if (!c->ssl->handshaked) { | |
423 ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
424 return; | |
425 } | |
426 | |
427 if (c->read->timer_set) { | |
428 ngx_del_timer(c->read); | |
429 } | |
430 | |
431 ngx_stream_core_run_phases(s); | |
432 } | |
433 | |
434 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
435 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
436 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
437 int |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
438 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
439 { |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
440 return SSL_TLSEXT_ERR_OK; |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
441 } |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
442 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
443 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
444 |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
445 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
446 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
447 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
448 int |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
449 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
450 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
451 ngx_str_t cert, key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
452 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
453 ngx_connection_t *c; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
454 ngx_stream_session_t *s; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
455 ngx_stream_ssl_conf_t *sslcf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
456 ngx_stream_complex_value_t *certs, *keys; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
457 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
458 c = ngx_ssl_get_connection(ssl_conn); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
459 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
460 if (c->ssl->handshaked) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
461 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
462 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
463 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
464 s = c->data; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
465 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
466 sslcf = arg; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
467 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
468 nelts = sslcf->certificate_values->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
469 certs = sslcf->certificate_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
470 keys = sslcf->certificate_key_values->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
471 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
472 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
473 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
474 if (ngx_stream_complex_value(s, &certs[i], &cert) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
475 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
476 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
477 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
478 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
479 "ssl cert: \"%s\"", cert.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
480 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
481 if (ngx_stream_complex_value(s, &keys[i], &key) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
482 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
483 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
484 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
485 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
486 "ssl key: \"%s\"", key.data); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
487 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
488 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
489 sslcf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
490 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
491 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
492 return 0; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
493 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
494 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
495 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
496 return 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
497 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
498 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
499 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
500 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
501 |
6693 | 502 static ngx_int_t |
6611
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
503 ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
504 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
505 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
506 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
507 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
508 size_t len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
509 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
510 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
511 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
512 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
513 (void) handler(s->connection, NULL, &str); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
514 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
515 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
516 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
517 for (len = 0; v->data[len]; len++) { /* void */ } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
518 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
519 v->len = len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
520 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
521 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
522 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
523 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
524 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
525 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
526 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
527 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
528 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
529 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
530 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
531 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
532 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
533 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
534 ngx_stream_ssl_variable(ngx_stream_session_t *s, |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
535 ngx_stream_variable_value_t *v, uintptr_t data) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
536 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
537 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
538 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
539 ngx_str_t str; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
540 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
541 if (s->connection->ssl) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
542 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
543 if (handler(s->connection, s->connection->pool, &str) != NGX_OK) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
544 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
545 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
546 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
547 v->len = str.len; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
548 v->data = str.data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
549 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
550 if (v->len) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
551 v->valid = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
552 v->no_cacheable = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
553 v->not_found = 0; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
554 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
555 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
556 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
557 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
558 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
559 v->not_found = 1; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
560 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
561 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
562 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
563 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
564 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
565 static ngx_int_t |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
566 ngx_stream_ssl_add_variables(ngx_conf_t *cf) |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
567 { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
568 ngx_stream_variable_t *var, *v; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
569 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
570 for (v = ngx_stream_ssl_vars; v->name.len; v++) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
571 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
572 if (var == NULL) { |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
573 return NGX_ERROR; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
574 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
575 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
576 var->get_handler = v->get_handler; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
577 var->data = v->data; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
578 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
579 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
580 return NGX_OK; |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
581 } |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
582 |
85e7bcb37d6b
Stream: SSL-related variables.
Vladimir Homutov <vl@nginx.com>
parents:
6606
diff
changeset
|
583 |
6115 | 584 static void * |
585 ngx_stream_ssl_create_conf(ngx_conf_t *cf) | |
586 { | |
587 ngx_stream_ssl_conf_t *scf; | |
588 | |
589 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t)); | |
590 if (scf == NULL) { | |
591 return NULL; | |
592 } | |
593 | |
594 /* | |
595 * set by ngx_pcalloc(): | |
596 * | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
597 * scf->listen = 0; |
6115 | 598 * scf->protocols = 0; |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
599 * scf->certificate_values = NULL; |
6115 | 600 * scf->dhparam = { 0, NULL }; |
601 * scf->ecdh_curve = { 0, NULL }; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
602 * scf->client_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
603 * scf->trusted_certificate = { 0, NULL }; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
604 * scf->crl = { 0, NULL }; |
6115 | 605 * scf->ciphers = { 0, NULL }; |
606 * scf->shm_zone = NULL; | |
607 */ | |
608 | |
609 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
610 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
611 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
6115 | 612 scf->passwords = NGX_CONF_UNSET_PTR; |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
613 scf->conf_commands = NGX_CONF_UNSET_PTR; |
6115 | 614 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
615 scf->verify = NGX_CONF_UNSET_UINT; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
616 scf->verify_depth = NGX_CONF_UNSET_UINT; |
6115 | 617 scf->builtin_session_cache = NGX_CONF_UNSET; |
618 scf->session_timeout = NGX_CONF_UNSET; | |
619 scf->session_tickets = NGX_CONF_UNSET; | |
620 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; | |
621 | |
622 return scf; | |
623 } | |
624 | |
625 | |
626 static char * | |
627 ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
628 { | |
629 ngx_stream_ssl_conf_t *prev = parent; | |
630 ngx_stream_ssl_conf_t *conf = child; | |
631 | |
632 ngx_pool_cleanup_t *cln; | |
633 | |
634 ngx_conf_merge_msec_value(conf->handshake_timeout, | |
635 prev->handshake_timeout, 60000); | |
636 | |
637 ngx_conf_merge_value(conf->session_timeout, | |
638 prev->session_timeout, 300); | |
639 | |
640 ngx_conf_merge_value(conf->prefer_server_ciphers, | |
641 prev->prefer_server_ciphers, 0); | |
642 | |
643 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
644 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
6115 | 645 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
646 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
647 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
648 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
649 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
650 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
651 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
652 NULL); |
6115 | 653 |
654 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | |
655 | |
656 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | |
657 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
658 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
659 ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
660 ngx_conf_merge_str_value(conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
661 prev->trusted_certificate, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
662 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
663 |
6115 | 664 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
665 NGX_DEFAULT_ECDH_CURVE); | |
666 | |
667 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | |
668 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
669 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
670 |
6115 | 671 |
672 conf->ssl.log = cf->log; | |
673 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
674 if (!conf->listen) { |
6115 | 675 return NGX_CONF_OK; |
676 } | |
677 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
678 if (conf->certificates == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
679 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
680 "no \"ssl_certificate\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
681 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
682 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
683 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
684 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
685 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
686 if (conf->certificate_keys == NULL) { |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
687 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
688 "no \"ssl_certificate_key\" is defined for " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
689 "the \"listen ... ssl\" directive in %s:%ui", |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
690 conf->file, conf->line); |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
691 return NGX_CONF_ERROR; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
692 } |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
693 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
694 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
6115 | 695 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
696 "no \"ssl_certificate_key\" is defined " | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
697 "for certificate \"%V\" and " |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
698 "the \"listen ... ssl\" directive in %s:%ui", |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
699 ((ngx_str_t *) conf->certificates->elts) |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
700 + conf->certificates->nelts - 1, |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7193
diff
changeset
|
701 conf->file, conf->line); |
6115 | 702 return NGX_CONF_ERROR; |
703 } | |
704 | |
705 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | |
706 return NGX_CONF_ERROR; | |
707 } | |
708 | |
709 cln = ngx_pool_cleanup_add(cf->pool, 0); | |
710 if (cln == NULL) { | |
7473
8981dbb12254
SSL: fixed potential leak on memory allocation errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7471
diff
changeset
|
711 ngx_ssl_cleanup_ctx(&conf->ssl); |
6115 | 712 return NGX_CONF_ERROR; |
713 } | |
714 | |
715 cln->handler = ngx_ssl_cleanup_ctx; | |
716 cln->data = &conf->ssl; | |
717 | |
7471
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
720 ngx_stream_ssl_servername); |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
721 #endif |
7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7466
diff
changeset
|
722 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
723 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
6115 | 724 return NGX_CONF_ERROR; |
725 } | |
726 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
727 if (conf->certificate_values) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
728 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
729 #ifdef SSL_R_CERT_CB_ERROR |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
730 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
731 /* install callback to lookup certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
732 |
7466
48c87377aabd
SSL: fixed possible segfault with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
733 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf); |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
734 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
735 #else |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
736 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
737 "variables in " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
738 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
739 "directives are not supported on this platform"); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
740 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
741 #endif |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
742 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
743 } else { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
744 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
745 /* configure certificates */ |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
746 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
747 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
748 conf->certificate_keys, conf->passwords) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
749 != NGX_OK) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
750 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
751 return NGX_CONF_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
752 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
753 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
754 |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
755 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
756 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
757 != NGX_OK) |
6115 | 758 { |
759 return NGX_CONF_ERROR; | |
760 } | |
761 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
762 if (conf->verify) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
763 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
764 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
765 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7567
ef7ee19776db
SSL: fixed ssl_verify_client error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7473
diff
changeset
|
766 "no ssl_client_certificate for ssl_verify_client"); |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
767 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
768 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
769 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
770 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
771 &conf->client_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
772 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
773 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
774 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
775 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
776 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
777 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
778 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
779 &conf->trusted_certificate, |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
780 conf->verify_depth) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
781 != NGX_OK) |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
782 { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
783 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
784 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
785 |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
786 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
787 return NGX_CONF_ERROR; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
788 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
789 } |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6817
diff
changeset
|
790 |
6115 | 791 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
792 return NGX_CONF_ERROR; | |
793 } | |
794 | |
795 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | |
796 return NGX_CONF_ERROR; | |
797 } | |
798 | |
799 ngx_conf_merge_value(conf->builtin_session_cache, | |
800 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); | |
801 | |
802 if (conf->shm_zone == NULL) { | |
803 conf->shm_zone = prev->shm_zone; | |
804 } | |
805 | |
806 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, | |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7464
diff
changeset
|
807 conf->certificates, conf->builtin_session_cache, |
6115 | 808 conf->shm_zone, conf->session_timeout) |
809 != NGX_OK) | |
810 { | |
811 return NGX_CONF_ERROR; | |
812 } | |
813 | |
814 ngx_conf_merge_value(conf->session_tickets, | |
815 prev->session_tickets, 1); | |
816 | |
817 #ifdef SSL_OP_NO_TICKET | |
818 if (!conf->session_tickets) { | |
819 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); | |
820 } | |
821 #endif | |
822 | |
823 ngx_conf_merge_ptr_value(conf->session_ticket_keys, | |
824 prev->session_ticket_keys, NULL); | |
825 | |
826 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) | |
827 != NGX_OK) | |
828 { | |
829 return NGX_CONF_ERROR; | |
830 } | |
831 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
832 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
833 return NGX_CONF_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
834 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
835 |
6115 | 836 return NGX_CONF_OK; |
837 } | |
838 | |
839 | |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
840 static ngx_int_t |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
841 ngx_stream_ssl_compile_certificates(ngx_conf_t *cf, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
842 ngx_stream_ssl_conf_t *conf) |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
843 { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
844 ngx_str_t *cert, *key; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
845 ngx_uint_t i, nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
846 ngx_stream_complex_value_t *cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
847 ngx_stream_compile_complex_value_t ccv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
848 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
849 cert = conf->certificates->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
850 key = conf->certificate_keys->elts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
851 nelts = conf->certificates->nelts; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
852 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
853 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
854 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
855 if (ngx_stream_script_variables_count(&cert[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
856 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
857 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
858 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
859 if (ngx_stream_script_variables_count(&key[i])) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
860 goto found; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
861 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
862 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
863 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
864 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
865 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
866 found: |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
867 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
868 conf->certificate_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
869 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
870 if (conf->certificate_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
871 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
872 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
873 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
874 conf->certificate_key_values = ngx_array_create(cf->pool, nelts, |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
875 sizeof(ngx_stream_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
876 if (conf->certificate_key_values == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
877 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
878 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
879 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
880 for (i = 0; i < nelts; i++) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
881 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
882 cv = ngx_array_push(conf->certificate_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
883 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
884 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
885 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
886 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
887 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
888 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
889 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
890 ccv.value = &cert[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
891 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
892 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
893 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
894 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
895 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
896 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
897 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
898 cv = ngx_array_push(conf->certificate_key_values); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
899 if (cv == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
900 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
901 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
902 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
903 ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t)); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
904 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
905 ccv.cf = cf; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
906 ccv.value = &key[i]; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
907 ccv.complex_value = cv; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
908 ccv.zero = 1; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
909 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
910 if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
911 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
912 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
913 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
914 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
915 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
916 if (conf->passwords == NULL) { |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
917 return NGX_ERROR; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
918 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
919 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
920 return NGX_OK; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
921 } |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
922 |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
923 |
6115 | 924 static char * |
925 ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
926 { | |
927 ngx_stream_ssl_conf_t *scf = conf; | |
928 | |
929 ngx_str_t *value; | |
930 | |
931 if (scf->passwords != NGX_CONF_UNSET_PTR) { | |
932 return "is duplicate"; | |
933 } | |
934 | |
935 value = cf->args->elts; | |
936 | |
937 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
938 | |
939 if (scf->passwords == NULL) { | |
940 return NGX_CONF_ERROR; | |
941 } | |
942 | |
943 return NGX_CONF_OK; | |
944 } | |
945 | |
946 | |
947 static char * | |
948 ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
949 { | |
950 ngx_stream_ssl_conf_t *scf = conf; | |
951 | |
952 size_t len; | |
953 ngx_str_t *value, name, size; | |
954 ngx_int_t n; | |
955 ngx_uint_t i, j; | |
956 | |
957 value = cf->args->elts; | |
958 | |
959 for (i = 1; i < cf->args->nelts; i++) { | |
960 | |
961 if (ngx_strcmp(value[i].data, "off") == 0) { | |
962 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
963 continue; | |
964 } | |
965 | |
966 if (ngx_strcmp(value[i].data, "none") == 0) { | |
967 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
968 continue; | |
969 } | |
970 | |
971 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
972 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
973 continue; | |
974 } | |
975 | |
976 if (value[i].len > sizeof("builtin:") - 1 | |
977 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
978 == 0) | |
979 { | |
980 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
981 value[i].len - (sizeof("builtin:") - 1)); | |
982 | |
983 if (n == NGX_ERROR) { | |
984 goto invalid; | |
985 } | |
986 | |
987 scf->builtin_session_cache = n; | |
988 | |
989 continue; | |
990 } | |
991 | |
992 if (value[i].len > sizeof("shared:") - 1 | |
993 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
994 == 0) | |
995 { | |
996 len = 0; | |
997 | |
998 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
999 if (value[i].data[j] == ':') { | |
1000 break; | |
1001 } | |
1002 | |
1003 len++; | |
1004 } | |
1005 | |
1006 if (len == 0) { | |
1007 goto invalid; | |
1008 } | |
1009 | |
1010 name.len = len; | |
1011 name.data = value[i].data + sizeof("shared:") - 1; | |
1012 | |
1013 size.len = value[i].len - j - 1; | |
1014 size.data = name.data + len + 1; | |
1015 | |
1016 n = ngx_parse_size(&size); | |
1017 | |
1018 if (n == NGX_ERROR) { | |
1019 goto invalid; | |
1020 } | |
1021 | |
1022 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1023 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1024 "session cache \"%V\" is too small", | |
1025 &value[i]); | |
1026 | |
1027 return NGX_CONF_ERROR; | |
1028 } | |
1029 | |
1030 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1031 &ngx_stream_ssl_module); | |
1032 if (scf->shm_zone == NULL) { | |
1033 return NGX_CONF_ERROR; | |
1034 } | |
1035 | |
1036 scf->shm_zone->init = ngx_ssl_session_cache_init; | |
1037 | |
1038 continue; | |
1039 } | |
1040 | |
1041 goto invalid; | |
1042 } | |
1043 | |
1044 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
1045 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
1046 } | |
1047 | |
1048 return NGX_CONF_OK; | |
1049 | |
1050 invalid: | |
1051 | |
1052 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1053 "invalid session cache \"%V\"", &value[i]); | |
1054 | |
1055 return NGX_CONF_ERROR; | |
1056 } | |
6693 | 1057 |
1058 | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1059 static char * |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1060 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1061 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1062 #ifndef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1063 return "is not supported on this platform"; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1064 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1065 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1066 return NGX_CONF_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1067 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1068 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7567
diff
changeset
|
1069 |
6693 | 1070 static ngx_int_t |
1071 ngx_stream_ssl_init(ngx_conf_t *cf) | |
1072 { | |
1073 ngx_stream_handler_pt *h; | |
1074 ngx_stream_core_main_conf_t *cmcf; | |
1075 | |
1076 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); | |
1077 | |
1078 h = ngx_array_push(&cmcf->phases[NGX_STREAM_SSL_PHASE].handlers); | |
1079 if (h == NULL) { | |
1080 return NGX_ERROR; | |
1081 } | |
1082 | |
1083 *h = ngx_stream_ssl_handler; | |
1084 | |
1085 return NGX_OK; | |
1086 } |