Groonga 3.0.9 Source Code Document
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
ngx_http_ssl_module.c
Go to the documentation of this file.
1 
2 /*
3  * Copyright (C) Igor Sysoev
4  * Copyright (C) Nginx, Inc.
5  */
6 
7 
8 #include <ngx_config.h>
9 #include <ngx_core.h>
10 #include <ngx_http.h>
11 
12 
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
14  ngx_pool_t *pool, ngx_str_t *s);
15 
16 
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1"
19 
20 
21 #ifdef TLSEXT_TYPE_next_proto_neg
22 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
23  const unsigned char **out, unsigned int *outlen, void *arg);
24 #endif
25 
26 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
27  ngx_http_variable_value_t *v, uintptr_t data);
28 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
29  ngx_http_variable_value_t *v, uintptr_t data);
30 
31 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
32 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
33 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
34  void *parent, void *child);
35 
36 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
37  void *conf);
38 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
39  void *conf);
40 
41 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
42 
43 
44 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
45  { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
46  { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
47  { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
48  { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
49  { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
50  { ngx_null_string, 0 }
51 };
52 
53 
54 static ngx_conf_enum_t ngx_http_ssl_verify[] = {
55  { ngx_string("off"), 0 },
56  { ngx_string("on"), 1 },
57  { ngx_string("optional"), 2 },
58  { ngx_string("optional_no_ca"), 3 },
59  { ngx_null_string, 0 }
60 };
61 
62 
63 static ngx_command_t ngx_http_ssl_commands[] = {
64 
65  { ngx_string("ssl"),
66  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
67  ngx_http_ssl_enable,
68  NGX_HTTP_SRV_CONF_OFFSET,
69  offsetof(ngx_http_ssl_srv_conf_t, enable),
70  NULL },
71 
72  { ngx_string("ssl_certificate"),
73  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
74  ngx_conf_set_str_slot,
75  NGX_HTTP_SRV_CONF_OFFSET,
76  offsetof(ngx_http_ssl_srv_conf_t, certificate),
77  NULL },
78 
79  { ngx_string("ssl_certificate_key"),
80  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
81  ngx_conf_set_str_slot,
82  NGX_HTTP_SRV_CONF_OFFSET,
83  offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
84  NULL },
85 
86  { ngx_string("ssl_dhparam"),
87  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
88  ngx_conf_set_str_slot,
89  NGX_HTTP_SRV_CONF_OFFSET,
90  offsetof(ngx_http_ssl_srv_conf_t, dhparam),
91  NULL },
92 
93  { ngx_string("ssl_ecdh_curve"),
94  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
95  ngx_conf_set_str_slot,
96  NGX_HTTP_SRV_CONF_OFFSET,
97  offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
98  NULL },
99 
100  { ngx_string("ssl_protocols"),
101  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
102  ngx_conf_set_bitmask_slot,
103  NGX_HTTP_SRV_CONF_OFFSET,
104  offsetof(ngx_http_ssl_srv_conf_t, protocols),
105  &ngx_http_ssl_protocols },
106 
107  { ngx_string("ssl_ciphers"),
108  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
109  ngx_conf_set_str_slot,
110  NGX_HTTP_SRV_CONF_OFFSET,
111  offsetof(ngx_http_ssl_srv_conf_t, ciphers),
112  NULL },
113 
114  { ngx_string("ssl_verify_client"),
115  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
116  ngx_conf_set_enum_slot,
117  NGX_HTTP_SRV_CONF_OFFSET,
118  offsetof(ngx_http_ssl_srv_conf_t, verify),
119  &ngx_http_ssl_verify },
120 
121  { ngx_string("ssl_verify_depth"),
122  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
123  ngx_conf_set_num_slot,
124  NGX_HTTP_SRV_CONF_OFFSET,
125  offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
126  NULL },
127 
128  { ngx_string("ssl_client_certificate"),
129  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
130  ngx_conf_set_str_slot,
131  NGX_HTTP_SRV_CONF_OFFSET,
132  offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
133  NULL },
134 
135  { ngx_string("ssl_trusted_certificate"),
136  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
137  ngx_conf_set_str_slot,
138  NGX_HTTP_SRV_CONF_OFFSET,
139  offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
140  NULL },
141 
142  { ngx_string("ssl_prefer_server_ciphers"),
143  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
144  ngx_conf_set_flag_slot,
145  NGX_HTTP_SRV_CONF_OFFSET,
146  offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
147  NULL },
148 
149  { ngx_string("ssl_session_cache"),
150  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
151  ngx_http_ssl_session_cache,
152  NGX_HTTP_SRV_CONF_OFFSET,
153  0,
154  NULL },
155 
156  { ngx_string("ssl_session_timeout"),
157  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
158  ngx_conf_set_sec_slot,
159  NGX_HTTP_SRV_CONF_OFFSET,
160  offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
161  NULL },
162 
163  { ngx_string("ssl_crl"),
164  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
165  ngx_conf_set_str_slot,
166  NGX_HTTP_SRV_CONF_OFFSET,
167  offsetof(ngx_http_ssl_srv_conf_t, crl),
168  NULL },
169 
170  { ngx_string("ssl_stapling"),
171  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
172  ngx_conf_set_flag_slot,
173  NGX_HTTP_SRV_CONF_OFFSET,
174  offsetof(ngx_http_ssl_srv_conf_t, stapling),
175  NULL },
176 
177  { ngx_string("ssl_stapling_file"),
178  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
179  ngx_conf_set_str_slot,
180  NGX_HTTP_SRV_CONF_OFFSET,
181  offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
182  NULL },
183 
184  { ngx_string("ssl_stapling_responder"),
185  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
186  ngx_conf_set_str_slot,
187  NGX_HTTP_SRV_CONF_OFFSET,
188  offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
189  NULL },
190 
191  { ngx_string("ssl_stapling_verify"),
192  NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
193  ngx_conf_set_flag_slot,
194  NGX_HTTP_SRV_CONF_OFFSET,
195  offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
196  NULL },
197 
198  ngx_null_command
199 };
200 
201 
202 static ngx_http_module_t ngx_http_ssl_module_ctx = {
203  ngx_http_ssl_add_variables, /* preconfiguration */
204  ngx_http_ssl_init, /* postconfiguration */
205 
206  NULL, /* create main configuration */
207  NULL, /* init main configuration */
208 
209  ngx_http_ssl_create_srv_conf, /* create server configuration */
210  ngx_http_ssl_merge_srv_conf, /* merge server configuration */
211 
212  NULL, /* create location configuration */
213  NULL /* merge location configuration */
214 };
215 
216 
217 ngx_module_t ngx_http_ssl_module = {
218  NGX_MODULE_V1,
219  &ngx_http_ssl_module_ctx, /* module context */
220  ngx_http_ssl_commands, /* module directives */
221  NGX_HTTP_MODULE, /* module type */
222  NULL, /* init master */
223  NULL, /* init module */
224  NULL, /* init process */
225  NULL, /* init thread */
226  NULL, /* exit thread */
227  NULL, /* exit process */
228  NULL, /* exit master */
229  NGX_MODULE_V1_PADDING
230 };
231 
232 
233 static ngx_http_variable_t ngx_http_ssl_vars[] = {
234 
235  { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
236  (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
237 
238  { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
239  (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
240 
241  { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
242  (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
243 
244  { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
245  (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
246 
247  { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
248  (uintptr_t) ngx_ssl_get_raw_certificate,
249  NGX_HTTP_VAR_CHANGEABLE, 0 },
250 
251  { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
252  (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
253 
254  { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
255  (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
256 
257  { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
258  (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
259 
260  { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
261  (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
262 
263  { ngx_null_string, NULL, NULL, 0, 0, 0 }
264 };
265 
266 
267 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
268 
269 
270 #ifdef TLSEXT_TYPE_next_proto_neg
271 
272 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
273 
274 static int
275 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
276  const unsigned char **out, unsigned int *outlen, void *arg)
277 {
278 #if (NGX_HTTP_SPDY || NGX_DEBUG)
279  ngx_connection_t *c;
280 
281  c = ngx_ssl_get_connection(ssl_conn);
282  ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
283 #endif
284 
285 #if (NGX_HTTP_SPDY)
286  {
287  ngx_http_connection_t *hc;
288 
289  hc = c->data;
290 
291  if (hc->addr_conf->spdy) {
292  *out = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
293  *outlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
294 
295  return SSL_TLSEXT_ERR_OK;
296  }
297  }
298 #endif
299 
300  *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
301  *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
302 
303  return SSL_TLSEXT_ERR_OK;
304 }
305 
306 #endif
307 
308 
309 static ngx_int_t
310 ngx_http_ssl_static_variable(ngx_http_request_t *r,
311  ngx_http_variable_value_t *v, uintptr_t data)
312 {
313  ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
314 
315  size_t len;
316  ngx_str_t s;
317 
318  if (r->connection->ssl) {
319 
320  (void) handler(r->connection, NULL, &s);
321 
322  v->data = s.data;
323 
324  for (len = 0; v->data[len]; len++) { /* void */ }
325 
326  v->len = len;
327  v->valid = 1;
328  v->no_cacheable = 0;
329  v->not_found = 0;
330 
331  return NGX_OK;
332  }
333 
334  v->not_found = 1;
335 
336  return NGX_OK;
337 }
338 
339 
340 static ngx_int_t
341 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
342  uintptr_t data)
343 {
344  ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
345 
346  ngx_str_t s;
347 
348  if (r->connection->ssl) {
349 
350  if (handler(r->connection, r->pool, &s) != NGX_OK) {
351  return NGX_ERROR;
352  }
353 
354  v->len = s.len;
355  v->data = s.data;
356 
357  if (v->len) {
358  v->valid = 1;
359  v->no_cacheable = 0;
360  v->not_found = 0;
361 
362  return NGX_OK;
363  }
364  }
365 
366  v->not_found = 1;
367 
368  return NGX_OK;
369 }
370 
371 
372 static ngx_int_t
373 ngx_http_ssl_add_variables(ngx_conf_t *cf)
374 {
375  ngx_http_variable_t *var, *v;
376 
377  for (v = ngx_http_ssl_vars; v->name.len; v++) {
378  var = ngx_http_add_variable(cf, &v->name, v->flags);
379  if (var == NULL) {
380  return NGX_ERROR;
381  }
382 
383  var->get_handler = v->get_handler;
384  var->data = v->data;
385  }
386 
387  return NGX_OK;
388 }
389 
390 
391 static void *
392 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
393 {
394  ngx_http_ssl_srv_conf_t *sscf;
395 
396  sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
397  if (sscf == NULL) {
398  return NULL;
399  }
400 
401  /*
402  * set by ngx_pcalloc():
403  *
404  * sscf->protocols = 0;
405  * sscf->certificate = { 0, NULL };
406  * sscf->certificate_key = { 0, NULL };
407  * sscf->dhparam = { 0, NULL };
408  * sscf->ecdh_curve = { 0, NULL };
409  * sscf->client_certificate = { 0, NULL };
410  * sscf->trusted_certificate = { 0, NULL };
411  * sscf->crl = { 0, NULL };
412  * sscf->ciphers = { 0, NULL };
413  * sscf->shm_zone = NULL;
414  * sscf->stapling_file = { 0, NULL };
415  * sscf->stapling_responder = { 0, NULL };
416  */
417 
418  sscf->enable = NGX_CONF_UNSET;
419  sscf->prefer_server_ciphers = NGX_CONF_UNSET;
420  sscf->verify = NGX_CONF_UNSET_UINT;
421  sscf->verify_depth = NGX_CONF_UNSET_UINT;
422  sscf->builtin_session_cache = NGX_CONF_UNSET;
423  sscf->session_timeout = NGX_CONF_UNSET;
424  sscf->stapling = NGX_CONF_UNSET;
425  sscf->stapling_verify = NGX_CONF_UNSET;
426 
427  return sscf;
428 }
429 
430 
431 static char *
432 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
433 {
434  ngx_http_ssl_srv_conf_t *prev = parent;
435  ngx_http_ssl_srv_conf_t *conf = child;
436 
437  ngx_pool_cleanup_t *cln;
438 
439  if (conf->enable == NGX_CONF_UNSET) {
440  if (prev->enable == NGX_CONF_UNSET) {
441  conf->enable = 0;
442 
443  } else {
444  conf->enable = prev->enable;
445  conf->file = prev->file;
446  conf->line = prev->line;
447  }
448  }
449 
450  ngx_conf_merge_value(conf->session_timeout,
451  prev->session_timeout, 300);
452 
453  ngx_conf_merge_value(conf->prefer_server_ciphers,
454  prev->prefer_server_ciphers, 0);
455 
456  ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
457  (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
458  |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
459 
460  ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
461  ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
462 
463  ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
464  ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
465 
466  ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
467 
468  ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
469  "");
470  ngx_conf_merge_str_value(conf->trusted_certificate,
471  prev->trusted_certificate, "");
472  ngx_conf_merge_str_value(conf->crl, prev->crl, "");
473 
474  ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
475  NGX_DEFAULT_ECDH_CURVE);
476 
477  ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
478 
479  ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
480  ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
481  ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
482  ngx_conf_merge_str_value(conf->stapling_responder,
483  prev->stapling_responder, "");
484 
485  conf->ssl.log = cf->log;
486 
487  if (conf->enable) {
488 
489  if (conf->certificate.len == 0) {
490  ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
491  "no \"ssl_certificate\" is defined for "
492  "the \"ssl\" directive in %s:%ui",
493  conf->file, conf->line);
494  return NGX_CONF_ERROR;
495  }
496 
497  if (conf->certificate_key.len == 0) {
498  ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
499  "no \"ssl_certificate_key\" is defined for "
500  "the \"ssl\" directive in %s:%ui",
501  conf->file, conf->line);
502  return NGX_CONF_ERROR;
503  }
504 
505  } else {
506 
507  if (conf->certificate.len == 0) {
508  return NGX_CONF_OK;
509  }
510 
511  if (conf->certificate_key.len == 0) {
512  ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
513  "no \"ssl_certificate_key\" is defined "
514  "for certificate \"%V\"", &conf->certificate);
515  return NGX_CONF_ERROR;
516  }
517  }
518 
519  if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
520  return NGX_CONF_ERROR;
521  }
522 
523 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
524 
525  if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
526  ngx_http_ssl_servername)
527  == 0)
528  {
529  ngx_log_error(NGX_LOG_WARN, cf->log, 0,
530  "nginx was built with SNI support, however, now it is linked "
531  "dynamically to an OpenSSL library which has no tlsext support, "
532  "therefore SNI is not available");
533  }
534 
535 #endif
536 
537 #ifdef TLSEXT_TYPE_next_proto_neg
538  SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
539  ngx_http_ssl_npn_advertised, NULL);
540 #endif
541 
542  cln = ngx_pool_cleanup_add(cf->pool, 0);
543  if (cln == NULL) {
544  return NGX_CONF_ERROR;
545  }
546 
547  cln->handler = ngx_ssl_cleanup_ctx;
548  cln->data = &conf->ssl;
549 
550  if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
551  &conf->certificate_key)
552  != NGX_OK)
553  {
554  return NGX_CONF_ERROR;
555  }
556 
557  if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
558  (const char *) conf->ciphers.data)
559  == 0)
560  {
561  ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
562  "SSL_CTX_set_cipher_list(\"%V\") failed",
563  &conf->ciphers);
564  }
565 
566  if (conf->verify) {
567 
568  if (conf->client_certificate.len == 0 && conf->verify != 3) {
569  ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
570  "no ssl_client_certificate for ssl_client_verify");
571  return NGX_CONF_ERROR;
572  }
573 
574  if (ngx_ssl_client_certificate(cf, &conf->ssl,
575  &conf->client_certificate,
576  conf->verify_depth)
577  != NGX_OK)
578  {
579  return NGX_CONF_ERROR;
580  }
581  }
582 
583  if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
584  &conf->trusted_certificate,
585  conf->verify_depth)
586  != NGX_OK)
587  {
588  return NGX_CONF_ERROR;
589  }
590 
591  if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
592  return NGX_CONF_ERROR;
593  }
594 
595  if (conf->prefer_server_ciphers) {
596  SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
597  }
598 
599  /* a temporary 512-bit RSA key is required for export versions of MSIE */
600  SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
601 
602  if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
603  return NGX_CONF_ERROR;
604  }
605 
606  if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
607  return NGX_CONF_ERROR;
608  }
609 
610  ngx_conf_merge_value(conf->builtin_session_cache,
611  prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
612 
613  if (conf->shm_zone == NULL) {
614  conf->shm_zone = prev->shm_zone;
615  }
616 
617  if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
618  conf->builtin_session_cache,
619  conf->shm_zone, conf->session_timeout)
620  != NGX_OK)
621  {
622  return NGX_CONF_ERROR;
623  }
624 
625  if (conf->stapling) {
626 
627  if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
628  &conf->stapling_responder, conf->stapling_verify)
629  != NGX_OK)
630  {
631  return NGX_CONF_ERROR;
632  }
633 
634  }
635 
636  return NGX_CONF_OK;
637 }
638 
639 
640 static char *
641 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
642 {
643  ngx_http_ssl_srv_conf_t *sscf = conf;
644 
645  char *rv;
646 
647  rv = ngx_conf_set_flag_slot(cf, cmd, conf);
648 
649  if (rv != NGX_CONF_OK) {
650  return rv;
651  }
652 
653  sscf->file = cf->conf_file->file.name.data;
654  sscf->line = cf->conf_file->line;
655 
656  return NGX_CONF_OK;
657 }
658 
659 
660 static char *
661 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
662 {
663  ngx_http_ssl_srv_conf_t *sscf = conf;
664 
665  size_t len;
666  ngx_str_t *value, name, size;
667  ngx_int_t n;
668  ngx_uint_t i, j;
669 
670  value = cf->args->elts;
671 
672  for (i = 1; i < cf->args->nelts; i++) {
673 
674  if (ngx_strcmp(value[i].data, "off") == 0) {
675  sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
676  continue;
677  }
678 
679  if (ngx_strcmp(value[i].data, "none") == 0) {
680  sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
681  continue;
682  }
683 
684  if (ngx_strcmp(value[i].data, "builtin") == 0) {
685  sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
686  continue;
687  }
688 
689  if (value[i].len > sizeof("builtin:") - 1
690  && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
691  == 0)
692  {
693  n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
694  value[i].len - (sizeof("builtin:") - 1));
695 
696  if (n == NGX_ERROR) {
697  goto invalid;
698  }
699 
700  sscf->builtin_session_cache = n;
701 
702  continue;
703  }
704 
705  if (value[i].len > sizeof("shared:") - 1
706  && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
707  == 0)
708  {
709  len = 0;
710 
711  for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
712  if (value[i].data[j] == ':') {
713  break;
714  }
715 
716  len++;
717  }
718 
719  if (len == 0) {
720  goto invalid;
721  }
722 
723  name.len = len;
724  name.data = value[i].data + sizeof("shared:") - 1;
725 
726  size.len = value[i].len - j - 1;
727  size.data = name.data + len + 1;
728 
729  n = ngx_parse_size(&size);
730 
731  if (n == NGX_ERROR) {
732  goto invalid;
733  }
734 
735  if (n < (ngx_int_t) (8 * ngx_pagesize)) {
736  ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
737  "session cache \"%V\" is too small",
738  &value[i]);
739 
740  return NGX_CONF_ERROR;
741  }
742 
743  sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
744  &ngx_http_ssl_module);
745  if (sscf->shm_zone == NULL) {
746  return NGX_CONF_ERROR;
747  }
748 
749  sscf->shm_zone->init = ngx_ssl_session_cache_init;
750 
751  continue;
752  }
753 
754  goto invalid;
755  }
756 
757  if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
758  sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
759  }
760 
761  return NGX_CONF_OK;
762 
763 invalid:
764 
765  ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
766  "invalid session cache \"%V\"", &value[i]);
767 
768  return NGX_CONF_ERROR;
769 }
770 
771 
772 static ngx_int_t
773 ngx_http_ssl_init(ngx_conf_t *cf)
774 {
775  ngx_uint_t s;
776  ngx_http_ssl_srv_conf_t *sscf;
777  ngx_http_core_loc_conf_t *clcf;
778  ngx_http_core_srv_conf_t **cscfp;
779  ngx_http_core_main_conf_t *cmcf;
780 
781  cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
782  cscfp = cmcf->servers.elts;
783 
784  for (s = 0; s < cmcf->servers.nelts; s++) {
785 
786  sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
787 
788  if (sscf->ssl.ctx == NULL || !sscf->stapling) {
789  continue;
790  }
791 
792  clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
793 
794  if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
795  clcf->resolver_timeout)
796  != NGX_OK)
797  {
798  return NGX_ERROR;
799  }
800  }
801 
802  return NGX_OK;
803 }
Generated on Sun Nov 10 2013 09:49:08 for Groonga 3.0.9 Source Code Document by   doxygen 1.8.1.2