mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 09:42:39 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: support for multiple certificates (ticket #814).

Browse Source
This commit is contained in:
Maxim Dounin 2016-05-19 14:46:32 +03:00
parent 798999b63d
commit cf126b98b3
8 changed files with 112 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/event/ngx_event_openssl.c
View File

@ -321,6 +321,29 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
} }
ngx_int_t
ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
ngx_array_t *keys, ngx_array_t *passwords)
{
ngx_str_t *cert, *key;
ngx_uint_t i;
cert = certs->elts;
key = keys->elts;
for (i = 0; i < certs->nelts; i++) {
if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
!= NGX_OK)
{
return NGX_ERROR;
}
}
return NGX_OK;
}
ngx_int_t ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_str_t *key, ngx_array_t *passwords) ngx_str_t *key, ngx_array_t *passwords)

2
src/event/ngx_event_openssl.h
View File

@ -140,6 +140,8 @@ typedef struct {
ngx_int_t ngx_ssl_init(ngx_log_t *log); ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,

46
src/http/modules/ngx_http_ssl_module.c
View File

@ -81,16 +81,16 @@ static ngx_command_t ngx_http_ssl_commands[] = {
{ ngx_string("ssl_certificate"), { ngx_string("ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET, NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, certificate), offsetof(ngx_http_ssl_srv_conf_t, certificates),
NULL }, NULL },
{ ngx_string("ssl_certificate_key"), { ngx_string("ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET, NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, certificate_key), offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
NULL }, NULL },
{ ngx_string("ssl_password_file"), { ngx_string("ssl_password_file"),
@ -508,8 +508,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* sscf->protocols = 0; * sscf->protocols = 0;
* sscf->certificate = { 0, NULL };
* sscf->certificate_key = { 0, NULL };
* sscf->dhparam = { 0, NULL }; * sscf->dhparam = { 0, NULL };
* sscf->ecdh_curve = { 0, NULL }; * sscf->ecdh_curve = { 0, NULL };
* sscf->client_certificate = { 0, NULL }; * sscf->client_certificate = { 0, NULL };
@ -526,6 +524,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
sscf->buffer_size = NGX_CONF_UNSET_SIZE; sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT; sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT; sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR; sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET; sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET; sscf->session_timeout = NGX_CONF_UNSET;
@ -573,8 +573,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@ -601,7 +602,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->enable) { if (conf->enable) {
if (conf->certificate.len == 0) { if (conf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for " "no \"ssl_certificate\" is defined for "
"the \"ssl\" directive in %s:%ui", "the \"ssl\" directive in %s:%ui",
@ -609,7 +610,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->certificate_key.len == 0) { if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for " "no \"ssl_certificate_key\" is defined for "
"the \"ssl\" directive in %s:%ui", "the \"ssl\" directive in %s:%ui",
@ -617,16 +618,31 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\" and "
"the \"ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1,
conf->file, conf->line);
return NGX_CONF_ERROR;
}
} else { } else {
if (conf->certificate.len == 0) { if (conf->certificates == NULL) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
if (conf->certificate_key.len == 0) { if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined " "no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"", &conf->certificate); "for certificate \"%V\"",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
} }
@ -666,8 +682,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
&conf->certificate_key, conf->passwords) conf->certificate_keys, conf->passwords)
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;

5
src/http/modules/ngx_http_ssl_module.h
View File

@ -32,8 +32,9 @@ typedef struct {
time_t session_timeout; time_t session_timeout;
ngx_str_t certificate; ngx_array_t *certificates;
ngx_str_t certificate_key; ngx_array_t *certificate_keys;
ngx_str_t dhparam; ngx_str_t dhparam;
ngx_str_t ecdh_curve; ngx_str_t ecdh_curve;
ngx_str_t client_certificate; ngx_str_t client_certificate;

45
src/mail/ngx_mail_ssl_module.c
View File

@ -73,16 +73,16 @@ static ngx_command_t ngx_mail_ssl_commands[] = {
{ ngx_string("ssl_certificate"), { ngx_string("ssl_certificate"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_MAIL_SRV_CONF_OFFSET, NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, certificate), offsetof(ngx_mail_ssl_conf_t, certificates),
NULL }, NULL },
{ ngx_string("ssl_certificate_key"), { ngx_string("ssl_certificate_key"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_MAIL_SRV_CONF_OFFSET, NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, certificate_key), offsetof(ngx_mail_ssl_conf_t, certificate_keys),
NULL }, NULL },
{ ngx_string("ssl_password_file"), { ngx_string("ssl_password_file"),
@ -238,8 +238,6 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* scf->protocols = 0; * scf->protocols = 0;
* scf->certificate = { 0, NULL };
* scf->certificate_key = { 0, NULL };
* scf->dhparam = { 0, NULL }; * scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL }; * scf->ecdh_curve = { 0, NULL };
* scf->client_certificate = { 0, NULL }; * scf->client_certificate = { 0, NULL };
@ -251,6 +249,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
scf->enable = NGX_CONF_UNSET; scf->enable = NGX_CONF_UNSET;
scf->starttls = NGX_CONF_UNSET_UINT; scf->starttls = NGX_CONF_UNSET_UINT;
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR; scf->passwords = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET; scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT; scf->verify = NGX_CONF_UNSET_UINT;
@ -290,8 +290,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@ -328,7 +329,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
if (*mode) { if (*mode) {
if (conf->certificate.len == 0) { if (conf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for " "no \"ssl_certificate\" is defined for "
"the \"%s\" directive in %s:%ui", "the \"%s\" directive in %s:%ui",
@ -336,7 +337,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->certificate_key.len == 0) { if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for " "no \"ssl_certificate_key\" is defined for "
"the \"%s\" directive in %s:%ui", "the \"%s\" directive in %s:%ui",
@ -344,17 +345,31 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\" and "
"the \"ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1,
conf->file, conf->line);
return NGX_CONF_ERROR;
}
} else { } else {
if (conf->certificate.len == 0) { if (conf->certificates == NULL) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
if (conf->certificate_key.len == 0) { if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined " "no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"", "for certificate \"%V\"",
&conf->certificate); ((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
} }
@ -371,8 +386,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
&conf->certificate_key, conf->passwords) conf->certificate_keys, conf->passwords)
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;

5
src/mail/ngx_mail_ssl_module.h
View File

@ -35,8 +35,9 @@ typedef struct {
time_t session_timeout; time_t session_timeout;
ngx_str_t certificate; ngx_array_t *certificates;
ngx_str_t certificate_key; ngx_array_t *certificate_keys;
ngx_str_t dhparam; ngx_str_t dhparam;
ngx_str_t ecdh_curve; ngx_str_t ecdh_curve;
ngx_str_t client_certificate; ngx_str_t client_certificate;

30
src/stream/ngx_stream_ssl_module.c
View File

@ -45,16 +45,16 @@ static ngx_command_t ngx_stream_ssl_commands[] = {
{ ngx_string("ssl_certificate"), { ngx_string("ssl_certificate"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_STREAM_SRV_CONF_OFFSET, NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_conf_t, certificate), offsetof(ngx_stream_ssl_conf_t, certificates),
NULL }, NULL },
{ ngx_string("ssl_certificate_key"), { ngx_string("ssl_certificate_key"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, ngx_conf_set_str_array_slot,
NGX_STREAM_SRV_CONF_OFFSET, NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_conf_t, certificate_key), offsetof(ngx_stream_ssl_conf_t, certificate_keys),
NULL }, NULL },
{ ngx_string("ssl_password_file"), { ngx_string("ssl_password_file"),
@ -175,8 +175,6 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* scf->protocols = 0; * scf->protocols = 0;
* scf->certificate = { 0, NULL };
* scf->certificate_key = { 0, NULL };
* scf->dhparam = { 0, NULL }; * scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL }; * scf->ecdh_curve = { 0, NULL };
* scf->ciphers = { 0, NULL }; * scf->ciphers = { 0, NULL };
@ -184,6 +182,8 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
*/ */
scf->handshake_timeout = NGX_CONF_UNSET_MSEC; scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR; scf->passwords = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET; scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->builtin_session_cache = NGX_CONF_UNSET; scf->builtin_session_cache = NGX_CONF_UNSET;
@ -216,8 +216,9 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@ -231,15 +232,18 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
if (conf->certificate.len == 0) { if (conf->certificates == NULL) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
if (conf->certificate_key.len == 0) { if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined " "no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"", "for certificate \"%V\"",
&conf->certificate); ((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
@ -255,8 +259,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
&conf->certificate_key, conf->passwords) conf->certificate_keys, conf->passwords)
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;

5
src/stream/ngx_stream_ssl_module.h
View File

@ -27,8 +27,9 @@ typedef struct {
time_t session_timeout; time_t session_timeout;
ngx_str_t certificate; ngx_array_t *certificates;
ngx_str_t certificate_key; ngx_array_t *certificate_keys;
ngx_str_t dhparam; ngx_str_t dhparam;
ngx_str_t ecdh_curve; ngx_str_t ecdh_curve;