diff options
Diffstat (limited to 'src/http/modules/ngx_http_ssl_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 126 |
1 files changed, 55 insertions, 71 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 130f2b305..bb9a55f49 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -8,9 +8,9 @@ #include <ngx_core.h> #include <ngx_http.h> - #define NGX_DEFLAUT_CERTIFICATE "cert.pem" #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" +#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); @@ -18,6 +18,14 @@ static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child); +static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { + { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, + { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, + { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_http_ssl_commands[] = { { ngx_string("ssl"), @@ -41,13 +49,27 @@ static ngx_command_t ngx_http_ssl_commands[] = { offsetof(ngx_http_ssl_srv_conf_t, certificate_key), NULL }, + { ngx_string("ssl_protocols"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_bitmask_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, protocols), + &ngx_http_ssl_protocols }, + { ngx_string("ssl_ciphers"), - NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, ngx_conf_set_str_slot, NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, ciphers), NULL }, + { ngx_string("ssl_prefer_server_ciphers"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), + NULL }, + ngx_null_command }; @@ -99,6 +121,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) /* * set by ngx_pcalloc(): * + * scf->protocols = 0; + * scf->certificate.len = 0; * scf->certificate.data = NULL; * scf->certificate_key.len = 0; @@ -108,6 +132,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) */ scf->enable = NGX_CONF_UNSET; + scf->prefer_server_ciphers = NGX_CONF_UNSET; return scf; } @@ -125,101 +150,60 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_OK; } + ngx_conf_merge_value(conf->prefer_server_ciphers, + prev->prefer_server_ciphers, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, + (NGX_CONF_BITMASK_SET + |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); + ngx_conf_merge_str_value(conf->certificate, prev->certificate, - NGX_DEFLAUT_CERTIFICATE); + NGX_DEFLAUT_CERTIFICATE); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, - NGX_DEFLAUT_CERTIFICATE_KEY); - - ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, ""); + NGX_DEFLAUT_CERTIFICATE_KEY); + ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); - /* TODO: configure methods */ - conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); + conf->ssl.log = cf->log; - if (conf->ssl_ctx == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed"); + if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { return NGX_CONF_ERROR; } - if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx) - == NULL) + if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) { return NGX_CONF_ERROR; } - - if (conf->ciphers.len) { - if (SSL_CTX_set_cipher_list(conf->ssl_ctx, - (const char *) conf->ciphers.data) == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_set_cipher_list(\"%V\") failed", - &conf->ciphers); - } - } - - if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx, - (char *) conf->certificate.data) == 0) + if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, + conf->certificate_key.data) != NGX_OK) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_certificate_chain_file(\"%s\") failed", - conf->certificate.data); return NGX_CONF_ERROR; } - if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx, - (char *) conf->certificate_key.data, - SSL_FILETYPE_PEM) == 0) + if (SSL_CTX_set_cipher_list(conf->ssl.ctx, + (const char *) conf->ciphers.data) == 0) { ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", - conf->certificate_key.data); - return NGX_CONF_ERROR; + "SSL_CTX_set_cipher_list(\"%V\") failed", + &conf->ciphers); } - SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL); - - SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + if (conf->prefer_server_ciphers) { + SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } - SSL_CTX_set_read_ahead(conf->ssl_ctx, 1); + /* a temporary 512-bit RSA key is required for export versions of MSIE */ + if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { + return NGX_CONF_ERROR; + } - SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); - SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx, + SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, sizeof(ngx_http_session_id_ctx) - 1); return NGX_CONF_OK; } - - -#if 0 - -/* how to enumrate server' configs */ - -static ngx_int_t -ngx_http_ssl_init_process(ngx_cycle_t *cycle) -{ - ngx_uint_t i; - ngx_http_ssl_srv_conf_t *sscf; - ngx_http_core_srv_conf_t **cscfp; - ngx_http_core_main_conf_t *cmcf; - - cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module); - - cscfp = cmcf->servers.elts; - - for (i = 0; i < cmcf->servers.nelts; i++) { - sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; - - if (sscf->enable) { - cscfp[i]->recv = ngx_ssl_recv; - cscfp[i]->send_chain = ngx_ssl_send_chain; - } - } - - return NGX_OK; -} - -#endif |