mirror of
https://github.com/nginx/nginx.git
synced 2025-01-20 02:22:58 +08:00
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134).
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to the mail proxy auth protocol when SSL is enabled. This can be useful for detecting users using older clients that negotiate old ciphers when you want to upgrade to newer TLS versions of remove suppport for old and insecure ciphers. You can use your auth backend to notify these users before the upgrade that they either need to upgrade their client software or contact your support team to work out an upgrade path.
This commit is contained in:
parent
ce5996cdd1
commit
d4dad02e5e
@ -1137,8 +1137,8 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
|
||||
ngx_str_t login, passwd;
|
||||
ngx_connection_t *c;
|
||||
#if (NGX_MAIL_SSL)
|
||||
ngx_str_t verify, subject, issuer, serial, fingerprint,
|
||||
raw_cert, cert;
|
||||
ngx_str_t protocol, cipher, verify, subject, issuer,
|
||||
serial, fingerprint, raw_cert, cert;
|
||||
ngx_mail_ssl_conf_t *sslcf;
|
||||
#endif
|
||||
ngx_mail_core_srv_conf_t *cscf;
|
||||
@ -1155,6 +1155,25 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
|
||||
|
||||
#if (NGX_MAIL_SSL)
|
||||
|
||||
if (c->ssl) {
|
||||
|
||||
if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
protocol.len = ngx_strlen(protocol.data);
|
||||
|
||||
if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cipher.len = ngx_strlen(cipher.data);
|
||||
|
||||
} else {
|
||||
ngx_str_null(&protocol);
|
||||
ngx_str_null(&cipher);
|
||||
}
|
||||
|
||||
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
|
||||
|
||||
if (c->ssl && sslcf->verify) {
|
||||
@ -1252,6 +1271,10 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
|
||||
|
||||
if (c->ssl) {
|
||||
len += sizeof("Auth-SSL: on" CRLF) - 1
|
||||
+ sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len
|
||||
+ sizeof(CRLF) - 1
|
||||
+ sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len
|
||||
+ sizeof(CRLF) - 1
|
||||
+ sizeof("Auth-SSL-Verify: ") - 1 + verify.len
|
||||
+ sizeof(CRLF) - 1
|
||||
+ sizeof("Auth-SSL-Subject: ") - 1 + subject.len
|
||||
@ -1373,6 +1396,20 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
|
||||
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
|
||||
sizeof("Auth-SSL: on" CRLF) - 1);
|
||||
|
||||
if (protocol.len) {
|
||||
b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ",
|
||||
sizeof("Auth-SSL-Protocol: ") - 1);
|
||||
b->last = ngx_copy(b->last, protocol.data, protocol.len);
|
||||
*b->last++ = CR; *b->last++ = LF;
|
||||
}
|
||||
|
||||
if (cipher.len) {
|
||||
b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ",
|
||||
sizeof("Auth-SSL-Cipher: ") - 1);
|
||||
b->last = ngx_copy(b->last, cipher.data, cipher.len);
|
||||
*b->last++ = CR; *b->last++ = LF;
|
||||
}
|
||||
|
||||
if (verify.len) {
|
||||
b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
|
||||
sizeof("Auth-SSL-Verify: ") - 1);
|
||||
|
Loading…
Reference in New Issue
Block a user