mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: detect "listen ... ssl" without certificates (ticket #178).

Browse Source 
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
This commit is contained in:
Maxim Dounin 2018-04-24 15:29:01 +03:00
parent 5d3a854ebd
commit 76be1ea9de
11 changed files with 123 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/http/modules/ngx_http_ssl_module.c
View File

@ -966,10 +966,12 @@ invalid:
static ngx_int_t static ngx_int_t
ngx_http_ssl_init(ngx_conf_t *cf) ngx_http_ssl_init(ngx_conf_t *cf)
{ {
ngx_uint_t s; ngx_uint_t a, p, s;
ngx_http_conf_addr_t *addr;
ngx_http_conf_port_t *port;
ngx_http_ssl_srv_conf_t *sscf; ngx_http_ssl_srv_conf_t *sscf;
ngx_http_core_loc_conf_t *clcf; ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t **cscfp; ngx_http_core_srv_conf_t **cscfp, *cscf;
ngx_http_core_main_conf_t *cmcf; ngx_http_core_main_conf_t *cmcf;
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
@ -993,5 +995,32 @@ ngx_http_ssl_init(ngx_conf_t *cf)
} }
} }
if (cmcf->ports == NULL) {
return NGX_OK;
}
port = cmcf->ports->elts;
for (p = 0; p < cmcf->ports->nelts; p++) {
addr = port[p].addrs.elts;
for (a = 0; a < port[p].addrs.nelts; a++) {
if (!addr[a].opt.ssl) {
continue;
}
cscf = addr[a].default_server;
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
if (sscf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"listen ... ssl\" directive in %s:%ui",
cscf->file_name, cscf->line);
return NGX_ERROR;
}
}
}
return NGX_OK; return NGX_OK;
} }

3
src/http/ngx_http_core_module.c
View File

@ -3256,6 +3256,9 @@ ngx_http_core_create_srv_conf(ngx_conf_t *cf)
cscf->merge_slashes = NGX_CONF_UNSET; cscf->merge_slashes = NGX_CONF_UNSET;
cscf->underscores_in_headers = NGX_CONF_UNSET; cscf->underscores_in_headers = NGX_CONF_UNSET;
cscf->file_name = cf->conf_file->file.name.data;
cscf->line = cf->conf_file->line;
return cscf; return cscf;
} }

3
src/http/ngx_http_core_module.h
View File

@ -184,6 +184,9 @@ typedef struct {
/* server ctx */ /* server ctx */
ngx_http_conf_ctx_t *ctx; ngx_http_conf_ctx_t *ctx;
u_char *file_name;
ngx_uint_t line;
ngx_str_t server_name; ngx_str_t server_name;
size_t connection_pool_size; size_t connection_pool_size;

13
src/http/ngx_http_request.c
View File

@ -336,19 +336,8 @@ ngx_http_init_connection(ngx_connection_t *c)
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
if (sscf->enable || hc->addr_conf->ssl) { if (sscf->enable || hc->addr_conf->ssl) {
c->log->action = "SSL handshaking";
if (hc->addr_conf->ssl && sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"no \"ssl_certificate\" is defined "
"in server listening on SSL port");
ngx_http_close_connection(c);
return;
}
hc->ssl = 1; hc->ssl = 1;
c->log->action = "SSL handshaking";
rev->handler = ngx_http_ssl_handshake; rev->handler = ngx_http_ssl_handshake;
} }
} }

9
src/mail/ngx_mail_core_module.c
View File

@ -474,7 +474,16 @@ ngx_mail_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
if (ngx_strcmp(value[i].data, "ssl") == 0) { if (ngx_strcmp(value[i].data, "ssl") == 0) {
#if (NGX_MAIL_SSL) #if (NGX_MAIL_SSL)
ngx_mail_ssl_conf_t *sslcf;
sslcf = ngx_mail_conf_get_module_srv_conf(cf, ngx_mail_ssl_module);
sslcf->listen = 1;
sslcf->file = cf->conf_file->file.name.data;
sslcf->line = cf->conf_file->line;
ls->ssl = 1; ls->ssl = 1;
continue; continue;
#else #else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,

18
src/mail/ngx_mail_handler.c
View File

@ -165,29 +165,13 @@ ngx_mail_init_connection(ngx_connection_t *c)
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (sslcf->enable) { if (sslcf->enable || addr_conf->ssl) {
c->log->action = "SSL handshaking"; c->log->action = "SSL handshaking";
ngx_mail_ssl_init_connection(&sslcf->ssl, c); ngx_mail_ssl_init_connection(&sslcf->ssl, c);
return; return;
} }
if (addr_conf->ssl) {
c->log->action = "SSL handshaking";
if (sslcf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"no \"ssl_certificate\" is defined "
"in server listening on SSL port");
ngx_mail_close_connection(c);
return;
}
ngx_mail_ssl_init_connection(&sslcf->ssl, c);
return;
}
} }
#endif #endif

86
src/mail/ngx_mail_ssl_module.c
View File

@ -238,6 +238,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
/* /*
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* scf->listen = 0;
* scf->protocols = 0; * scf->protocols = 0;
* scf->dhparam = { 0, NULL }; * scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL }; * scf->ecdh_curve = { 0, NULL };
@ -313,14 +314,17 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
if (conf->enable) { if (conf->listen) {
mode = "listen ... ssl";
} else if (conf->enable) {
mode = "ssl"; mode = "ssl";
} else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
mode = "starttls"; mode = "starttls";
} else { } else {
mode = ""; return NGX_CONF_OK;
} }
if (conf->file == NULL) { if (conf->file == NULL) {
@ -328,51 +332,31 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
conf->line = prev->line; conf->line = prev->line;
} }
if (*mode) { if (conf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"%s\" directive in %s:%ui",
mode, conf->file, conf->line);
return NGX_CONF_ERROR;
}
if (conf->certificates == NULL) { if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for " "no \"ssl_certificate_key\" is defined for "
"the \"%s\" directive in %s:%ui", "the \"%s\" directive in %s:%ui",
mode, conf->file, conf->line); mode, conf->file, conf->line);
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->certificate_keys == NULL) { if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for " "no \"ssl_certificate_key\" is defined "
"the \"%s\" directive in %s:%ui", "for certificate \"%V\" and "
mode, conf->file, conf->line); "the \"%s\" directive in %s:%ui",
return NGX_CONF_ERROR; ((ngx_str_t *) conf->certificates->elts)
} + conf->certificates->nelts - 1,
mode, conf->file, conf->line);
if (conf->certificate_keys->nelts < conf->certificates->nelts) { return NGX_CONF_ERROR;
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\" and "
"the \"%s\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1,
mode, conf->file, conf->line);
return NGX_CONF_ERROR;
}
} else {
if (conf->certificates == NULL) {
return NGX_CONF_OK;
}
if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
} }
if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
@ -494,8 +478,10 @@ ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
scf->file = cf->conf_file->file.name.data; if (!scf->listen) {
scf->line = cf->conf_file->line; scf->file = cf->conf_file->file.name.data;
scf->line = cf->conf_file->line;
}
return NGX_CONF_OK; return NGX_CONF_OK;
} }
@ -520,8 +506,10 @@ ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
scf->file = cf->conf_file->file.name.data; if (!scf->listen) {
scf->line = cf->conf_file->line; scf->file = cf->conf_file->file.name.data;
scf->line = cf->conf_file->line;
}
return NGX_CONF_OK; return NGX_CONF_OK;
} }

1
src/mail/ngx_mail_ssl_module.h
View File

@ -26,6 +26,7 @@ typedef struct {
ngx_ssl_t ssl; ngx_ssl_t ssl;
ngx_uint_t starttls; ngx_uint_t starttls;
ngx_uint_t listen;
ngx_uint_t protocols; ngx_uint_t protocols;
ngx_uint_t verify; ngx_uint_t verify;

10
src/stream/ngx_stream_core_module.c
View File

@ -734,7 +734,17 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
if (ngx_strcmp(value[i].data, "ssl") == 0) { if (ngx_strcmp(value[i].data, "ssl") == 0) {
#if (NGX_STREAM_SSL) #if (NGX_STREAM_SSL)
ngx_stream_ssl_conf_t *sslcf;
sslcf = ngx_stream_conf_get_module_srv_conf(cf,
ngx_stream_ssl_module);
sslcf->listen = 1;
sslcf->file = cf->conf_file->file.name.data;
sslcf->line = cf->conf_file->line;
ls->ssl = 1; ls->ssl = 1;
continue; continue;
#else #else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,

36
src/stream/ngx_stream_ssl_module.c
View File

@ -304,13 +304,6 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
if (c->ssl == NULL) { if (c->ssl == NULL) {
c->log->action = "SSL handshaking"; c->log->action = "SSL handshaking";
if (sslcf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"no \"ssl_certificate\" is defined "
"in server listening on SSL port");
return NGX_ERROR;
}
rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c);
if (rv != NGX_OK) { if (rv != NGX_OK) {
@ -510,6 +503,7 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
/* /*
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* scf->listen = 0;
* scf->protocols = 0; * scf->protocols = 0;
* scf->dhparam = { 0, NULL }; * scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL }; * scf->ecdh_curve = { 0, NULL };
@ -582,18 +576,34 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
if (conf->certificates == NULL) { if (!conf->listen) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
if (conf->certificate_keys == NULL if (conf->certificates == NULL) {
|| conf->certificate_keys->nelts < conf->certificates->nelts) ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
{ "no \"ssl_certificate\" is defined for "
"the \"listen ... ssl\" directive in %s:%ui",
conf->file, conf->line);
return NGX_CONF_ERROR;
}
if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"listen ... ssl\" directive in %s:%ui",
conf->file, conf->line);
return NGX_CONF_ERROR;
}
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined " "no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"", "for certificate \"%V\" and "
"the \"listen ... ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts) ((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1); + conf->certificates->nelts - 1,
conf->file, conf->line);
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }

4
src/stream/ngx_stream_ssl_module.h
View File

@ -21,6 +21,7 @@ typedef struct {
ngx_ssl_t ssl; ngx_ssl_t ssl;
ngx_uint_t listen;
ngx_uint_t protocols; ngx_uint_t protocols;
ngx_uint_t verify; ngx_uint_t verify;
@ -47,6 +48,9 @@ typedef struct {
ngx_flag_t session_tickets; ngx_flag_t session_tickets;
ngx_array_t *session_ticket_keys; ngx_array_t *session_ticket_keys;
u_char *file;
ngx_uint_t line;
} ngx_stream_ssl_conf_t; } ngx_stream_ssl_conf_t;