Mercurial > hg > nginx
annotate src/http/modules/ngx_http_ssl_module.c @ 4884:e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 03 Oct 2012 15:24:08 +0000 |
parents | 4a804fd04e6c |
children | 4b4f4cea6dfb |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
6 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 #include <ngx_http.h> |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
573 | 12 |
671 | 13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
14 ngx_pool_t *pool, ngx_str_t *s); | |
611 | 15 |
16 | |
3960 | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
671 | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 22 ngx_http_variable_value_t *v, uintptr_t data); |
671 | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
647 | 24 ngx_http_variable_value_t *v, uintptr_t data); |
611 | 25 |
26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
501 | 29 void *parent, void *child); |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
30 |
2224 | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | |
973 | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | |
35 | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
36 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
37 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
38 |
547 | 39 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | |
41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 45 { ngx_null_string, 0 } |
46 }; | |
47 | |
48 | |
2123 | 49 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
50 { ngx_string("off"), 0 }, | |
51 { ngx_string("on"), 1 }, | |
2994 | 52 { ngx_string("optional"), 2 }, |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
53 { ngx_string("optional_no_ca"), 3 }, |
2123 | 54 { ngx_null_string, 0 } |
55 }; | |
56 | |
57 | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
58 static ngx_command_t ngx_http_ssl_commands[] = { |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
59 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
60 { ngx_string("ssl"), |
599 | 61 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
2224 | 62 ngx_http_ssl_enable, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 offsetof(ngx_http_ssl_srv_conf_t, enable), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
65 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 { ngx_string("ssl_certificate"), |
599 | 68 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 offsetof(ngx_http_ssl_srv_conf_t, certificate), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
74 { ngx_string("ssl_certificate_key"), |
599 | 75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
76 ngx_conf_set_str_slot, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
77 NGX_HTTP_SRV_CONF_OFFSET, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
78 offsetof(ngx_http_ssl_srv_conf_t, certificate_key), |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
79 NULL }, |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
80 |
2044 | 81 { ngx_string("ssl_dhparam"), |
82 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
83 ngx_conf_set_str_slot, | |
84 NGX_HTTP_SRV_CONF_OFFSET, | |
85 offsetof(ngx_http_ssl_srv_conf_t, dhparam), | |
86 NULL }, | |
87 | |
3960 | 88 { ngx_string("ssl_ecdh_curve"), |
89 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
90 ngx_conf_set_str_slot, | |
91 NGX_HTTP_SRV_CONF_OFFSET, | |
92 offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), | |
93 NULL }, | |
94 | |
547 | 95 { ngx_string("ssl_protocols"), |
563 | 96 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, |
547 | 97 ngx_conf_set_bitmask_slot, |
98 NGX_HTTP_SRV_CONF_OFFSET, | |
99 offsetof(ngx_http_ssl_srv_conf_t, protocols), | |
100 &ngx_http_ssl_protocols }, | |
101 | |
479 | 102 { ngx_string("ssl_ciphers"), |
563 | 103 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
479 | 104 ngx_conf_set_str_slot, |
105 NGX_HTTP_SRV_CONF_OFFSET, | |
106 offsetof(ngx_http_ssl_srv_conf_t, ciphers), | |
107 NULL }, | |
108 | |
647 | 109 { ngx_string("ssl_verify_client"), |
4273
e444e8f6538b
Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse.
Sergey Budnevitch <sb@waeme.net>
parents:
4234
diff
changeset
|
110 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
2123 | 111 ngx_conf_set_enum_slot, |
647 | 112 NGX_HTTP_SRV_CONF_OFFSET, |
113 offsetof(ngx_http_ssl_srv_conf_t, verify), | |
2123 | 114 &ngx_http_ssl_verify }, |
647 | 115 |
116 { ngx_string("ssl_verify_depth"), | |
117 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, | |
118 ngx_conf_set_num_slot, | |
119 NGX_HTTP_SRV_CONF_OFFSET, | |
120 offsetof(ngx_http_ssl_srv_conf_t, verify_depth), | |
121 NULL }, | |
122 | |
123 { ngx_string("ssl_client_certificate"), | |
124 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
125 ngx_conf_set_str_slot, | |
126 NGX_HTTP_SRV_CONF_OFFSET, | |
127 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | |
128 NULL }, | |
129 | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
130 { ngx_string("ssl_trusted_certificate"), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
131 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
132 ngx_conf_set_str_slot, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
133 NGX_HTTP_SRV_CONF_OFFSET, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
134 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
135 NULL }, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
136 |
547 | 137 { ngx_string("ssl_prefer_server_ciphers"), |
138 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
139 ngx_conf_set_flag_slot, | |
140 NGX_HTTP_SRV_CONF_OFFSET, | |
141 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | |
142 NULL }, | |
143 | |
973 | 144 { ngx_string("ssl_session_cache"), |
145 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
146 ngx_http_ssl_session_cache, | |
147 NGX_HTTP_SRV_CONF_OFFSET, | |
148 0, | |
149 NULL }, | |
150 | |
573 | 151 { ngx_string("ssl_session_timeout"), |
152 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
153 ngx_conf_set_sec_slot, | |
154 NGX_HTTP_SRV_CONF_OFFSET, | |
155 offsetof(ngx_http_ssl_srv_conf_t, session_timeout), | |
156 NULL }, | |
157 | |
2995 | 158 { ngx_string("ssl_crl"), |
159 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
160 ngx_conf_set_str_slot, | |
161 NGX_HTTP_SRV_CONF_OFFSET, | |
162 offsetof(ngx_http_ssl_srv_conf_t, crl), | |
163 NULL }, | |
164 | |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
165 { ngx_string("ssl_stapling"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
166 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
167 ngx_conf_set_flag_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
168 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
169 offsetof(ngx_http_ssl_srv_conf_t, stapling), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
170 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
171 |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
172 { ngx_string("ssl_stapling_file"), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
173 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
174 ngx_conf_set_str_slot, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
175 NGX_HTTP_SRV_CONF_OFFSET, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
176 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
177 NULL }, |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
178 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
179 { ngx_string("ssl_stapling_responder"), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
180 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
181 ngx_conf_set_str_slot, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
182 NGX_HTTP_SRV_CONF_OFFSET, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
183 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
184 NULL }, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
185 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
186 { ngx_string("ssl_stapling_verify"), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
187 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
188 ngx_conf_set_flag_slot, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
189 NGX_HTTP_SRV_CONF_OFFSET, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
190 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
191 NULL }, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
192 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
193 ngx_null_command |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
194 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
195 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
196 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
197 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
611 | 198 ngx_http_ssl_add_variables, /* preconfiguration */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
199 ngx_http_ssl_init, /* postconfiguration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
200 |
541 | 201 NULL, /* create main configuration */ |
202 NULL, /* init main configuration */ | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
203 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
204 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
205 ngx_http_ssl_merge_srv_conf, /* merge server configuration */ |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
206 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
207 NULL, /* create location configuration */ |
485 | 208 NULL /* merge location configuration */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
209 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
210 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
211 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
212 ngx_module_t ngx_http_ssl_module = { |
509 | 213 NGX_MODULE_V1, |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
214 &ngx_http_ssl_module_ctx, /* module context */ |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
215 ngx_http_ssl_commands, /* module directives */ |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
216 NGX_HTTP_MODULE, /* module type */ |
541 | 217 NULL, /* init master */ |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
392
diff
changeset
|
218 NULL, /* init module */ |
541 | 219 NULL, /* init process */ |
220 NULL, /* init thread */ | |
221 NULL, /* exit thread */ | |
222 NULL, /* exit process */ | |
223 NULL, /* exit master */ | |
224 NGX_MODULE_V1_PADDING | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
225 }; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
226 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
227 |
611 | 228 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
229 | |
671 | 230 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
1565 | 231 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 232 |
671 | 233 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
1565 | 234 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
611 | 235 |
3154 | 236 { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, |
237 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
238 | |
2045 | 239 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
240 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
241 | |
2123 | 242 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
243 (uintptr_t) ngx_ssl_get_raw_certificate, | |
244 NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
245 | |
671 | 246 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
1565 | 247 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 248 |
671 | 249 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
1565 | 250 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
671 | 251 |
252 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
1565 | 253 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
647 | 254 |
2994 | 255 { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, |
256 (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
257 | |
637 | 258 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
611 | 259 }; |
260 | |
261 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
262 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
973 | 263 |
264 | |
265 static ngx_int_t | |
671 | 266 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
611 | 267 ngx_http_variable_value_t *v, uintptr_t data) |
268 { | |
671 | 269 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
611 | 270 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
271 size_t len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
272 ngx_str_t s; |
611 | 273 |
274 if (r->connection->ssl) { | |
275 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
276 (void) handler(r->connection, NULL, &s); |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
277 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
278 v->data = s.data; |
611 | 279 |
671 | 280 for (len = 0; v->data[len]; len++) { /* void */ } |
611 | 281 |
282 v->len = len; | |
283 v->valid = 1; | |
1565 | 284 v->no_cacheable = 0; |
611 | 285 v->not_found = 0; |
286 | |
287 return NGX_OK; | |
288 } | |
289 | |
290 v->not_found = 1; | |
291 | |
292 return NGX_OK; | |
293 } | |
294 | |
295 | |
296 static ngx_int_t | |
671 | 297 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
647 | 298 uintptr_t data) |
299 { | |
671 | 300 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
647 | 301 |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
302 ngx_str_t s; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
303 |
647 | 304 if (r->connection->ssl) { |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
305 |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
306 if (handler(r->connection, r->pool, &s) != NGX_OK) { |
647 | 307 return NGX_ERROR; |
308 } | |
309 | |
1310
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
310 v->len = s.len; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
311 v->data = s.data; |
33d6c994a0b2
Sun Studio on sparc uses different bit order
Igor Sysoev <igor@sysoev.ru>
parents:
1219
diff
changeset
|
312 |
647 | 313 if (v->len) { |
314 v->valid = 1; | |
1565 | 315 v->no_cacheable = 0; |
647 | 316 v->not_found = 0; |
317 | |
318 return NGX_OK; | |
319 } | |
320 } | |
321 | |
322 v->not_found = 1; | |
323 | |
324 return NGX_OK; | |
325 } | |
326 | |
327 | |
328 static ngx_int_t | |
611 | 329 ngx_http_ssl_add_variables(ngx_conf_t *cf) |
330 { | |
331 ngx_http_variable_t *var, *v; | |
332 | |
333 for (v = ngx_http_ssl_vars; v->name.len; v++) { | |
334 var = ngx_http_add_variable(cf, &v->name, v->flags); | |
335 if (var == NULL) { | |
336 return NGX_ERROR; | |
337 } | |
338 | |
637 | 339 var->get_handler = v->get_handler; |
611 | 340 var->data = v->data; |
341 } | |
342 | |
343 return NGX_OK; | |
344 } | |
345 | |
346 | |
501 | 347 static void * |
348 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
349 { |
971 | 350 ngx_http_ssl_srv_conf_t *sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
351 |
971 | 352 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
353 if (sscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
354 return NULL; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
355 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
356 |
479 | 357 /* |
358 * set by ngx_pcalloc(): | |
359 * | |
971 | 360 * sscf->protocols = 0; |
2044 | 361 * sscf->certificate = { 0, NULL }; |
362 * sscf->certificate_key = { 0, NULL }; | |
363 * sscf->dhparam = { 0, NULL }; | |
3960 | 364 * sscf->ecdh_curve = { 0, NULL }; |
2044 | 365 * sscf->client_certificate = { 0, NULL }; |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
366 * sscf->trusted_certificate = { 0, NULL }; |
2995 | 367 * sscf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3209
diff
changeset
|
368 * sscf->ciphers = { 0, NULL }; |
973 | 369 * sscf->shm_zone = NULL; |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
370 * sscf->stapling_file = { 0, NULL }; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
371 * sscf->stapling_responder = { 0, NULL }; |
479 | 372 */ |
373 | |
971 | 374 sscf->enable = NGX_CONF_UNSET; |
2123 | 375 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
2710 | 376 sscf->verify = NGX_CONF_UNSET_UINT; |
377 sscf->verify_depth = NGX_CONF_UNSET_UINT; | |
973 | 378 sscf->builtin_session_cache = NGX_CONF_UNSET; |
379 sscf->session_timeout = NGX_CONF_UNSET; | |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
380 sscf->stapling = NGX_CONF_UNSET; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
381 sscf->stapling_verify = NGX_CONF_UNSET; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
382 |
971 | 383 return sscf; |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
384 } |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
385 |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
386 |
501 | 387 static char * |
388 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
389 { |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
390 ngx_http_ssl_srv_conf_t *prev = parent; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
391 ngx_http_ssl_srv_conf_t *conf = child; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
392 |
563 | 393 ngx_pool_cleanup_t *cln; |
394 | |
4234
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
395 if (conf->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
396 if (prev->enable == NGX_CONF_UNSET) { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
397 conf->enable = 0; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
398 |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
399 } else { |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
400 conf->enable = prev->enable; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
401 conf->file = prev->file; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
402 conf->line = prev->line; |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
403 } |
d5462eab1440
Fixed segfault on configuration testing with ssl (ticket #37).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
404 } |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
405 |
573 | 406 ngx_conf_merge_value(conf->session_timeout, |
407 prev->session_timeout, 300); | |
408 | |
547 | 409 ngx_conf_merge_value(conf->prefer_server_ciphers, |
410 prev->prefer_server_ciphers, 0); | |
411 | |
412 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
413 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4273
diff
changeset
|
414 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 415 |
2123 | 416 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
417 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | |
647 | 418 |
2224 | 419 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
420 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
421 |
2044 | 422 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
423 | |
647 | 424 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
425 ""); | |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
426 ngx_conf_merge_str_value(conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
427 prev->trusted_certificate, ""); |
2995 | 428 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
647 | 429 |
3960 | 430 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
431 NGX_DEFAULT_ECDH_CURVE); | |
432 | |
2124 | 433 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
479 | 434 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
435 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
436 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
437 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
438 ngx_conf_merge_str_value(conf->stapling_responder, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
439 prev->stapling_responder, ""); |
479 | 440 |
547 | 441 conf->ssl.log = cf->log; |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
442 |
2224 | 443 if (conf->enable) { |
444 | |
445 if (conf->certificate.len == 0) { | |
446 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
447 "no \"ssl_certificate\" is defined for " | |
448 "the \"ssl\" directive in %s:%ui", | |
449 conf->file, conf->line); | |
450 return NGX_CONF_ERROR; | |
451 } | |
452 | |
453 if (conf->certificate_key.len == 0) { | |
454 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
455 "no \"ssl_certificate_key\" is defined for " | |
456 "the \"ssl\" directive in %s:%ui", | |
457 conf->file, conf->line); | |
458 return NGX_CONF_ERROR; | |
459 } | |
460 | |
461 } else { | |
462 | |
463 if (conf->certificate.len == 0) { | |
464 return NGX_CONF_OK; | |
465 } | |
466 | |
467 if (conf->certificate_key.len == 0) { | |
468 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
469 "no \"ssl_certificate_key\" is defined " | |
470 "for certificate \"%V\"", &conf->certificate); | |
471 return NGX_CONF_ERROR; | |
472 } | |
473 } | |
474 | |
969 | 475 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
476 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
477 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
478 |
1219 | 479 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
480 | |
481 if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
482 ngx_http_ssl_servername) | |
483 == 0) | |
484 { | |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
485 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
3209 | 486 "nginx was built with SNI support, however, now it is linked " |
3140
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
487 "dynamically to an OpenSSL library which has no tlsext support, " |
ba9a8ba4207e
*) issue warning instead of failure: this is too common case
Igor Sysoev <igor@sysoev.ru>
parents:
2996
diff
changeset
|
488 "therefore SNI is not available"); |
1219 | 489 } |
490 | |
491 #endif | |
492 | |
563 | 493 cln = ngx_pool_cleanup_add(cf->pool, 0); |
494 if (cln == NULL) { | |
509 | 495 return NGX_CONF_ERROR; |
496 } | |
497 | |
563 | 498 cln->handler = ngx_ssl_cleanup_ctx; |
499 cln->data = &conf->ssl; | |
500 | |
501 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
970 | 502 &conf->certificate_key) |
503 != NGX_OK) | |
529 | 504 { |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
505 return NGX_CONF_ERROR; |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
506 } |
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
507 |
547 | 508 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
563 | 509 (const char *) conf->ciphers.data) |
510 == 0) | |
529 | 511 { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
512 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
547 | 513 "SSL_CTX_set_cipher_list(\"%V\") failed", |
514 &conf->ciphers); | |
515 } | |
516 | |
647 | 517 if (conf->verify) { |
2123 | 518 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
519 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
2123 | 520 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
521 "no ssl_client_certificate for ssl_client_verify"); | |
522 return NGX_CONF_ERROR; | |
523 } | |
524 | |
671 | 525 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
970 | 526 &conf->client_certificate, |
527 conf->verify_depth) | |
671 | 528 != NGX_OK) |
529 { | |
530 return NGX_CONF_ERROR; | |
647 | 531 } |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
532 } |
2995 | 533 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
534 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
535 &conf->trusted_certificate, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
536 conf->verify_depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
537 != NGX_OK) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
538 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
539 return NGX_CONF_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
540 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
541 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
542 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
543 return NGX_CONF_ERROR; |
647 | 544 } |
545 | |
547 | 546 if (conf->prefer_server_ciphers) { |
547 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
548 } | |
549 | |
550 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
551 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
386
fa72605e7089
nginx-0.0.7-2004-07-12-01:03:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
385
diff
changeset
|
552 |
2044 | 553 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
554 return NGX_CONF_ERROR; | |
555 } | |
556 | |
3960 | 557 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
558 return NGX_CONF_ERROR; | |
559 } | |
560 | |
973 | 561 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 562 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
973 | 563 |
564 if (conf->shm_zone == NULL) { | |
565 conf->shm_zone = prev->shm_zone; | |
566 } | |
567 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
568 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
569 conf->builtin_session_cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
570 conf->shm_zone, conf->session_timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
571 != NGX_OK) |
973 | 572 { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
573 return NGX_CONF_ERROR; |
973 | 574 } |
573 | 575 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
576 if (conf->stapling) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
577 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
578 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
579 &conf->stapling_responder, conf->stapling_verify) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
580 != NGX_OK) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
581 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
582 return NGX_CONF_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
583 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
584 |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
585 } |
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
586 |
383
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
587 return NGX_CONF_OK; |
c05876036128
nginx-0.0.7-2004-07-08-19:17:47 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
588 } |
563 | 589 |
590 | |
973 | 591 static char * |
2224 | 592 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
593 { | |
594 ngx_http_ssl_srv_conf_t *sscf = conf; | |
595 | |
596 char *rv; | |
597 | |
598 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
599 | |
600 if (rv != NGX_CONF_OK) { | |
601 return rv; | |
602 } | |
603 | |
604 sscf->file = cf->conf_file->file.name.data; | |
605 sscf->line = cf->conf_file->line; | |
606 | |
607 return NGX_CONF_OK; | |
608 } | |
609 | |
610 | |
611 static char * | |
973 | 612 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
613 { | |
614 ngx_http_ssl_srv_conf_t *sscf = conf; | |
615 | |
616 size_t len; | |
617 ngx_str_t *value, name, size; | |
618 ngx_int_t n; | |
619 ngx_uint_t i, j; | |
620 | |
621 value = cf->args->elts; | |
622 | |
623 for (i = 1; i < cf->args->nelts; i++) { | |
624 | |
1778 | 625 if (ngx_strcmp(value[i].data, "off") == 0) { |
626 sscf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
627 continue; | |
628 } | |
629 | |
2032 | 630 if (ngx_strcmp(value[i].data, "none") == 0) { |
631 sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
632 continue; | |
633 } | |
634 | |
973 | 635 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
636 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; |
973 | 637 continue; |
638 } | |
639 | |
640 if (value[i].len > sizeof("builtin:") - 1 | |
641 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
642 == 0) | |
643 { | |
644 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
645 value[i].len - (sizeof("builtin:") - 1)); | |
646 | |
647 if (n == NGX_ERROR) { | |
648 goto invalid; | |
649 } | |
650 | |
651 sscf->builtin_session_cache = n; | |
652 | |
653 continue; | |
654 } | |
655 | |
656 if (value[i].len > sizeof("shared:") - 1 | |
657 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
658 == 0) | |
659 { | |
660 len = 0; | |
661 | |
662 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
663 if (value[i].data[j] == ':') { | |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
664 value[i].data[j] = '\0'; |
973 | 665 break; |
666 } | |
667 | |
668 len++; | |
669 } | |
670 | |
671 if (len == 0) { | |
672 goto invalid; | |
673 } | |
674 | |
675 name.len = len; | |
676 name.data = value[i].data + sizeof("shared:") - 1; | |
677 | |
678 size.len = value[i].len - j - 1; | |
679 size.data = name.data + len + 1; | |
680 | |
681 n = ngx_parse_size(&size); | |
682 | |
683 if (n == NGX_ERROR) { | |
684 goto invalid; | |
685 } | |
686 | |
687 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
688 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
689 "session cache \"%V\" is too small", |
973 | 690 &value[i]); |
691 | |
692 return NGX_CONF_ERROR; | |
693 } | |
694 | |
695 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
696 &ngx_http_ssl_module); | |
697 if (sscf->shm_zone == NULL) { | |
698 return NGX_CONF_ERROR; | |
699 } | |
700 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
701 sscf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
702 |
973 | 703 continue; |
704 } | |
705 | |
706 goto invalid; | |
707 } | |
708 | |
709 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
973
diff
changeset
|
710 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; |
973 | 711 } |
712 | |
713 return NGX_CONF_OK; | |
714 | |
715 invalid: | |
716 | |
717 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
718 "invalid session cache \"%V\"", &value[i]); | |
719 | |
720 return NGX_CONF_ERROR; | |
721 } | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
722 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
723 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
724 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
725 ngx_http_ssl_init(ngx_conf_t *cf) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
726 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
727 ngx_uint_t s; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
728 ngx_http_ssl_srv_conf_t *sscf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
729 ngx_http_core_loc_conf_t *clcf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
730 ngx_http_core_srv_conf_t **cscfp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
731 ngx_http_core_main_conf_t *cmcf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
732 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
733 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
734 cscfp = cmcf->servers.elts; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
735 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
736 for (s = 0; s < cmcf->servers.nelts; s++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
737 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
738 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
739 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
740 if (!sscf->stapling) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
741 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
742 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
743 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
744 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
745 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
746 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
747 clcf->resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
748 != NGX_OK) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
749 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
750 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
751 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
752 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
753 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
754 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
755 } |