Mercurial > hg > nginx
comparison src/mail/ngx_mail_ssl_module.c @ 6550:51e1f047d15d
SSL: support for multiple certificates (ticket #814).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | c256dfdd469d |
children | 2014ed60f17f |
comparison
equal
deleted
inserted
replaced
6549:d3302eb87a0c | 6550:51e1f047d15d |
---|---|
71 offsetof(ngx_mail_ssl_conf_t, starttls), | 71 offsetof(ngx_mail_ssl_conf_t, starttls), |
72 ngx_mail_starttls_state }, | 72 ngx_mail_starttls_state }, |
73 | 73 |
74 { ngx_string("ssl_certificate"), | 74 { ngx_string("ssl_certificate"), |
75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
76 ngx_conf_set_str_slot, | 76 ngx_conf_set_str_array_slot, |
77 NGX_MAIL_SRV_CONF_OFFSET, | 77 NGX_MAIL_SRV_CONF_OFFSET, |
78 offsetof(ngx_mail_ssl_conf_t, certificate), | 78 offsetof(ngx_mail_ssl_conf_t, certificates), |
79 NULL }, | 79 NULL }, |
80 | 80 |
81 { ngx_string("ssl_certificate_key"), | 81 { ngx_string("ssl_certificate_key"), |
82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
83 ngx_conf_set_str_slot, | 83 ngx_conf_set_str_array_slot, |
84 NGX_MAIL_SRV_CONF_OFFSET, | 84 NGX_MAIL_SRV_CONF_OFFSET, |
85 offsetof(ngx_mail_ssl_conf_t, certificate_key), | 85 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
86 NULL }, | 86 NULL }, |
87 | 87 |
88 { ngx_string("ssl_password_file"), | 88 { ngx_string("ssl_password_file"), |
89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | 89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
90 ngx_mail_ssl_password_file, | 90 ngx_mail_ssl_password_file, |
236 | 236 |
237 /* | 237 /* |
238 * set by ngx_pcalloc(): | 238 * set by ngx_pcalloc(): |
239 * | 239 * |
240 * scf->protocols = 0; | 240 * scf->protocols = 0; |
241 * scf->certificate = { 0, NULL }; | |
242 * scf->certificate_key = { 0, NULL }; | |
243 * scf->dhparam = { 0, NULL }; | 241 * scf->dhparam = { 0, NULL }; |
244 * scf->ecdh_curve = { 0, NULL }; | 242 * scf->ecdh_curve = { 0, NULL }; |
245 * scf->client_certificate = { 0, NULL }; | 243 * scf->client_certificate = { 0, NULL }; |
246 * scf->trusted_certificate = { 0, NULL }; | 244 * scf->trusted_certificate = { 0, NULL }; |
247 * scf->crl = { 0, NULL }; | 245 * scf->crl = { 0, NULL }; |
249 * scf->shm_zone = NULL; | 247 * scf->shm_zone = NULL; |
250 */ | 248 */ |
251 | 249 |
252 scf->enable = NGX_CONF_UNSET; | 250 scf->enable = NGX_CONF_UNSET; |
253 scf->starttls = NGX_CONF_UNSET_UINT; | 251 scf->starttls = NGX_CONF_UNSET_UINT; |
252 scf->certificates = NGX_CONF_UNSET_PTR; | |
253 scf->certificate_keys = NGX_CONF_UNSET_PTR; | |
254 scf->passwords = NGX_CONF_UNSET_PTR; | 254 scf->passwords = NGX_CONF_UNSET_PTR; |
255 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 255 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
256 scf->verify = NGX_CONF_UNSET_UINT; | 256 scf->verify = NGX_CONF_UNSET_UINT; |
257 scf->verify_depth = NGX_CONF_UNSET_UINT; | 257 scf->verify_depth = NGX_CONF_UNSET_UINT; |
258 scf->builtin_session_cache = NGX_CONF_UNSET; | 258 scf->builtin_session_cache = NGX_CONF_UNSET; |
288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | 288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
289 | 289 |
290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); | 290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); | 291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
292 | 292 |
293 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); | 293 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
294 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | 294 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
295 NULL); | |
295 | 296 |
296 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); | 297 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
297 | 298 |
298 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 299 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
299 | 300 |
326 conf->line = prev->line; | 327 conf->line = prev->line; |
327 } | 328 } |
328 | 329 |
329 if (*mode) { | 330 if (*mode) { |
330 | 331 |
331 if (conf->certificate.len == 0) { | 332 if (conf->certificates == NULL) { |
332 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 333 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
333 "no \"ssl_certificate\" is defined for " | 334 "no \"ssl_certificate\" is defined for " |
334 "the \"%s\" directive in %s:%ui", | 335 "the \"%s\" directive in %s:%ui", |
335 mode, conf->file, conf->line); | 336 mode, conf->file, conf->line); |
336 return NGX_CONF_ERROR; | 337 return NGX_CONF_ERROR; |
337 } | 338 } |
338 | 339 |
339 if (conf->certificate_key.len == 0) { | 340 if (conf->certificate_keys == NULL) { |
340 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 341 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
341 "no \"ssl_certificate_key\" is defined for " | 342 "no \"ssl_certificate_key\" is defined for " |
342 "the \"%s\" directive in %s:%ui", | 343 "the \"%s\" directive in %s:%ui", |
343 mode, conf->file, conf->line); | 344 mode, conf->file, conf->line); |
344 return NGX_CONF_ERROR; | 345 return NGX_CONF_ERROR; |
345 } | 346 } |
346 | 347 |
348 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | |
349 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
350 "no \"ssl_certificate_key\" is defined " | |
351 "for certificate \"%V\" and " | |
352 "the \"ssl\" directive in %s:%ui", | |
353 ((ngx_str_t *) conf->certificates->elts) | |
354 + conf->certificates->nelts - 1, | |
355 conf->file, conf->line); | |
356 return NGX_CONF_ERROR; | |
357 } | |
358 | |
347 } else { | 359 } else { |
348 | 360 |
349 if (conf->certificate.len == 0) { | 361 if (conf->certificates == NULL) { |
350 return NGX_CONF_OK; | 362 return NGX_CONF_OK; |
351 } | 363 } |
352 | 364 |
353 if (conf->certificate_key.len == 0) { | 365 if (conf->certificate_keys == NULL |
366 || conf->certificate_keys->nelts < conf->certificates->nelts) | |
367 { | |
354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 368 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
355 "no \"ssl_certificate_key\" is defined " | 369 "no \"ssl_certificate_key\" is defined " |
356 "for certificate \"%V\"", | 370 "for certificate \"%V\"", |
357 &conf->certificate); | 371 ((ngx_str_t *) conf->certificates->elts) |
372 + conf->certificates->nelts - 1); | |
358 return NGX_CONF_ERROR; | 373 return NGX_CONF_ERROR; |
359 } | 374 } |
360 } | 375 } |
361 | 376 |
362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { | 377 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
369 } | 384 } |
370 | 385 |
371 cln->handler = ngx_ssl_cleanup_ctx; | 386 cln->handler = ngx_ssl_cleanup_ctx; |
372 cln->data = &conf->ssl; | 387 cln->data = &conf->ssl; |
373 | 388 |
374 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | 389 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
375 &conf->certificate_key, conf->passwords) | 390 conf->certificate_keys, conf->passwords) |
376 != NGX_OK) | 391 != NGX_OK) |
377 { | 392 { |
378 return NGX_CONF_ERROR; | 393 return NGX_CONF_ERROR; |
379 } | 394 } |
380 | 395 |