mirror of
https://github.com/nginx/nginx.git
synced 2024-11-27 23:49:00 +08:00
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
SSL fixes: *) $ssl_session_id *) allow "make clean" for OpenSSL, the bug was introduced in r2874 *) disable SSLv2 and use only strong ciphers by default *) decrease SSL handshake error level to info
This commit is contained in:
parent
987f1e5fcc
commit
7a03f30dd2
@ -25,10 +25,10 @@ if [ $OPENSSL != NONE ]; then
|
|||||||
have=NGX_OPENSSL . auto/have
|
have=NGX_OPENSSL . auto/have
|
||||||
have=NGX_SSL . auto/have
|
have=NGX_SSL . auto/have
|
||||||
|
|
||||||
CORE_INCS="$CORE_INCS $OPENSSL/openssl/include"
|
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
|
||||||
CORE_DEPS="$CORE_DEPS $OPENSSL/openssl/include/openssl/ssl.h"
|
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
|
||||||
CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libssl.a"
|
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
|
||||||
CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libcrypto.a"
|
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
|
||||||
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
|
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -46,13 +46,13 @@ END
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
case $OPENSSL in
|
case $OPENSSL in
|
||||||
/*) ngx_prefix="$OPENSSL/openssl" ;;
|
/*) ngx_prefix="$OPENSSL/.openssl" ;;
|
||||||
*) ngx_prefix="$PWD/$OPENSSL/openssl" ;;
|
*) ngx_prefix="$PWD/$OPENSSL/.openssl" ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
cat << END >> $NGX_MAKEFILE
|
cat << END >> $NGX_MAKEFILE
|
||||||
|
|
||||||
$OPENSSL/openssl/include/openssl/ssl.h: $NGX_MAKEFILE
|
$OPENSSL/.openssl/include/openssl/ssl.h: $NGX_MAKEFILE
|
||||||
cd $OPENSSL \\
|
cd $OPENSSL \\
|
||||||
&& \$(MAKE) clean \\
|
&& \$(MAKE) clean \\
|
||||||
&& ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\
|
&& ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\
|
||||||
|
@ -1313,6 +1313,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
|||||||
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|
||||||
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|
||||||
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|
||||||
|
|| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
|
||||||
|| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
|
|| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
|
||||||
|| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
|
|| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
|
||||||
|| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
|
|| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
|
||||||
@ -1628,7 +1629,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||||||
hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
|
hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
|
||||||
|
|
||||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||||
"http ssl new session: %08XD:%d:%d",
|
"ssl new session: %08XD:%d:%d",
|
||||||
hash, sess->session_id_length, len);
|
hash, sess->session_id_length, len);
|
||||||
|
|
||||||
sess_id->node.key = hash;
|
sess_id->node.key = hash;
|
||||||
@ -1691,7 +1692,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len,
|
|||||||
*copy = 0;
|
*copy = 0;
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||||
"http ssl get session: %08XD:%d", hash, len);
|
"ssl get session: %08XD:%d", hash, len);
|
||||||
|
|
||||||
shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
|
shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
|
||||||
ngx_ssl_session_cache_index);
|
ngx_ssl_session_cache_index);
|
||||||
@ -1805,7 +1806,7 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
|||||||
hash = ngx_crc32_short(id, len);
|
hash = ngx_crc32_short(id, len);
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
|
||||||
"http ssl remove session: %08XD:%uz", hash, len);
|
"ssl remove session: %08XD:%uz", hash, len);
|
||||||
|
|
||||||
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
||||||
|
|
||||||
@ -1968,6 +1969,40 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
|
{
|
||||||
|
int len;
|
||||||
|
u_char *p, *buf;
|
||||||
|
SSL_SESSION *sess;
|
||||||
|
|
||||||
|
sess = SSL_get0_session(c->ssl->connection);
|
||||||
|
|
||||||
|
len = i2d_SSL_SESSION(sess, NULL);
|
||||||
|
|
||||||
|
buf = ngx_alloc(len, c->log);
|
||||||
|
if (buf == NULL) {
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
s->len = 2 * len;
|
||||||
|
s->data = ngx_pnalloc(pool, 2 * len);
|
||||||
|
if (s->data == NULL) {
|
||||||
|
ngx_free(buf);
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
p = buf;
|
||||||
|
i2d_SSL_SESSION(sess, &p);
|
||||||
|
|
||||||
|
ngx_hex_dump(s->data, buf, len);
|
||||||
|
|
||||||
|
ngx_free(buf);
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
{
|
{
|
||||||
|
@ -119,6 +119,8 @@ ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
|
|||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
|
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
@ -13,7 +13,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
|||||||
ngx_pool_t *pool, ngx_str_t *s);
|
ngx_pool_t *pool, ngx_str_t *s);
|
||||||
|
|
||||||
|
|
||||||
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
|
#define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"
|
||||||
|
|
||||||
|
|
||||||
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
||||||
@ -184,6 +184,9 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|||||||
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
|
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
|
||||||
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
|
||||||
|
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
|
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
|
||||||
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
@ -344,8 +347,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
prev->prefer_server_ciphers, 0);
|
prev->prefer_server_ciphers, 0);
|
||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
|
||||||
|NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
|
|
||||||
|
|
||||||
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
||||||
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#include <ngx_mail.h>
|
#include <ngx_mail.h>
|
||||||
|
|
||||||
|
|
||||||
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
|
#define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"
|
||||||
|
|
||||||
|
|
||||||
static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
|
static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
|
||||||
@ -198,8 +198,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
prev->prefer_server_ciphers, 0);
|
prev->prefer_server_ciphers, 0);
|
||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
|
||||||
|NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
|
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
|
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
|
||||||
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
|
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
|
||||||
|
Loading…
Reference in New Issue
Block a user