Mercurial > hg > nginx
changeset 4033:4e1a489c26cd
Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).
As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.
Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.
Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 23 Aug 2011 14:36:31 +0000 |
parents | 7968f1edbdde |
children | e2c075e774b6 |
files | src/http/ngx_http_request.c |
diffstat | 1 files changed, 18 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_request.c Tue Aug 23 14:22:34 2011 +0000 +++ b/src/http/ngx_http_request.c Tue Aug 23 14:36:31 2011 +0000 @@ -673,6 +673,24 @@ SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx); + /* + * SSL_set_SSL_CTX() only changes certs as of 1.0.0d + * adjust other things we care about + */ + + SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx), + SSL_CTX_get_verify_callback(sscf->ssl.ctx)); + + SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx)); + +#ifdef SSL_CTRL_CLEAR_OPTIONS + /* only in 0.9.8m+ */ + SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & + ~SSL_CTX_get_options(sscf->ssl.ctx)); +#endif + + SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); + return SSL_TLSEXT_ERR_OK; }