mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-16 22:47:47 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,143 Commits 21 Branches 568 Tags 87 MiB
16f248ebbb
Commit Graph

196 Commits

Author SHA1 Message Date
Maxim Dounin
1a07a7f2de OCSP stapling: log error data in ngx_ssl_error(). 
It's hard to debug OCSP_basic_verify() failures without the actual error
string it records in the error data field.
 2012-10-01 12:50:36 +00:00
Maxim Dounin
74ad4494a6 OCSP stapling: loading OCSP responses. 
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
 2012-10-01 12:47:55 +00:00
Maxim Dounin
3648ba7db8 OCSP stapling: ssl_trusted_certificate directive. 
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
 2012-10-01 12:39:36 +00:00
Maxim Dounin
52b59ebc74 SSL: added version checks for ssl compression workaround. 
The SSL_COMP_get_compression_methods() is only available as an API
function in OpenSSL 0.9.8+, require it explicitly to unbreak build
with OpenSSL 0.9.7.
 2012-09-27 18:01:06 +00:00
Maxim Dounin
f4f72f9fb5 SSL: fixed compression workaround to remove all methods. 
Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
stack from 0 to n, resulting in removal of only even compression methods.

In real life this change is a nop, as there is only one compression method
which is enabled by default in OpenSSL.
 2012-09-27 17:59:59 +00:00
Igor Sysoev
992a4d11da Disabled gzip compression in OpenSSL prior to 1.0.0 version. 
This saves about 522K per connection.
 2012-06-20 12:55:28 +00:00
Valentin Bartenev
2195eb554b Removed mistaken setting of NGX_SSL_BUFFERED flag in ngx_ssl_send_chain() 
if SSL buffer is not used.
 2012-05-30 12:43:27 +00:00
Valentin Bartenev
0215fcc9b8 Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used. 2012-05-14 16:30:33 +00:00
Ruslan Ermilov
47a04aaa27 Fixed spelling in multiline C comments. 2012-04-03 07:37:31 +00:00
Maxim Dounin
ee187436af Whitespace fixes. 2012-03-05 18:09:06 +00:00
Ruslan Ermilov
b74f8ffce4 Fixed spelling in single-line comments. 2012-02-28 11:31:05 +00:00
Maxim Dounin
7ca6c1ff78 Fix of rbtree lookup on hash collisions. 
Previous code incorrectly assumed that nodes with identical keys are linked
together.  This might not be true after tree rebalance.

Patch by Lanshun Zhou.
 2012-02-27 22:15:39 +00:00
Maxim Dounin
90a7a8f5d9 Removed ENGINE_load_builtin_engines() call. 
It's already called by OPENSSL_config().  Calling it again causes some
openssl engines (notably GOST) to corrupt memory, as they don't expect
to be created more than once.
 2012-01-30 07:38:27 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Maxim Dounin
4efcbce328 Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. 
Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1
(-beta1 was recently released).  This change makes it possible to disable
these protocols and/or enable them without other protocols.
 2012-01-11 11:15:00 +00:00
Igor Sysoev
a2ffa56106 Silently ignoring a stale global SSL error left after disabled renegotiation. 2011-10-31 14:30:03 +00:00
Igor Sysoev
59695881ce Decrease of log level of some SSL handshake errors. 2011-10-25 15:04:09 +00:00
Igor Sysoev
94b5460c70 Releasing memory of idle SSL connection. This saves about 34K per SSL 
connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.
 2011-10-07 12:15:20 +00:00
Igor Sysoev
95084f7e1c Disabling SSL compression. This saves about 300K per SSL connection. 
The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.
 2011-10-07 10:59:02 +00:00
Maxim Dounin
a9e3c65d22 Proper SSL shutdown handling. 
If connection has unsent alerts, SSL_shutdown() tries to send them even
if SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN) was used.
This can be prevented by SSL_set_quiet_shutdown().  SSL_set_shutdown()
is required nevertheless to preserve session.
 2011-09-01 13:49:36 +00:00
Igor Sysoev
dfd81a23b2 A new fix for the case when ssl_session_cache defined, but ssl is not 
enabled in any server. The previous r1033 does not help when unused zone
becomes used after reconfiguration, so it is backed out.

The initial thought was to make SSL modules independed from SSL implementation
and to keep OpenSSL code dependance as much as in separate files.
 2011-08-04 11:12:30 +00:00
Igor Sysoev
b0b6bcedfc fix SSL connection issues on platforms with 32-bit off_t 
patch by Maxim Dounin
 2011-07-22 12:53:04 +00:00
Igor Sysoev
a7ed0951e3 fix build by gcc46 with -Wunused-value option 
patch by Maxim Dounin
 2011-07-22 10:43:50 +00:00
Igor Sysoev
f39642a907 ECDHE support 
patch by Adrian Kotelba
 2011-07-20 15:42:40 +00:00
Igor Sysoev
e61ba26744 MSIE export versions are rare now, so RSA 512 key is generated on demand 
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
 2011-07-20 12:59:24 +00:00
Igor Sysoev
3d86ad3f95 fix building on Fedora 14 
patch by Kirill A. Korinskiy
 2011-01-20 12:33:17 +00:00
Igor Sysoev
3e3ee60b99 remove SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG becuase of CVE-2010-4180 2010-12-06 11:17:03 +00:00
Igor Sysoev
6b45b065fe decrease SSL handshake error level to info 2010-07-29 09:30:15 +00:00
Igor Sysoev
05b1a8f1e3 ngx_str_set() and ngx_str_null() 2010-05-14 09:56:37 +00:00
Igor Sysoev
502252d43a MSVC8 compatibility with OpenSSL 1.0.0 2010-04-01 15:18:29 +00:00
Igor Sysoev
e71f39932f add OpenSSL_add_all_algorithms(), this fixes the error 
"ASN1_item_verify:unknown message digest algorithm" occurred if
client certificate is signed using sha256WithRSAEncryption
 2010-03-03 16:23:14 +00:00
Igor Sysoev
416fc7aac7 Set SSL session context for "ssl_session_cache none". 
This fixes a bug when client certficate is used and nginx closes connection
with the message: "SSL_GET_PREV_SESSION:session id context uninitialized".
 2010-03-02 08:41:47 +00:00
Igor Sysoev
146324618d decrease SSL handshake error level to info 2010-02-19 20:54:58 +00:00
Igor Sysoev
8019121120 decrease SSL handshake error level to info 2009-11-23 14:09:57 +00:00
Igor Sysoev
70bd187c4c disable SSL renegotiation (CVE-2009-3555) 2009-11-11 10:59:07 +00:00
Igor Sysoev
cc65b0879b fix segfault in SSL if limit_rate is used 2009-11-03 15:38:33 +00:00
Igor Sysoev
c81582ea67 fix r3155 2009-09-24 20:09:12 +00:00
Igor Sysoev
ef2662caab fix debug log message 2009-09-24 14:47:10 +00:00
Igor Sysoev
cdaf442a2f $ssl_session_id 2009-09-24 14:45:28 +00:00
Igor Sysoev
365d663cc2 fix memory corruption in $ssl_client_cert 2009-07-27 11:51:12 +00:00
Igor Sysoev
f5ca9df2ab delete ancient define 2009-07-23 12:59:11 +00:00
Igor Sysoev
80c3e8e03b delete OpenSSL pre-0.9.7 compatibility: the sources were not actually 
compatible with OpenSSL 0.9.6 since ssl_session_cache introduction
 2009-07-23 12:54:20 +00:00
Igor Sysoev
9db0245cda ssl_crl 2009-07-23 12:21:26 +00:00
Igor Sysoev
5b4b7c58cc *) $ssl_client_verify 
*) "ssl_verify_client ask" was changed to "ssl_verify_client optional"
 2009-07-22 17:41:42 +00:00
Igor Sysoev
260c4321d7 return NULL instead of NGX_CONF_ERROR on a create conf failure 2009-06-02 16:09:44 +00:00
Igor Sysoev
e1c9746e37 use ngx_vslprintf(), ngx_slprintf() 2009-04-27 13:06:20 +00:00
Igor Sysoev
f7a08d5f9a support attaching to an existent Win32 shared memory 2009-04-18 19:27:28 +00:00
Igor Sysoev
c7f876bd4c move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory 2009-04-16 19:25:09 +00:00
Igor Sysoev
ee0da9ad53 fix building by MSVC8 2009-04-15 19:28:10 +00:00
Igor Sysoev
a2c8d9a0a8 improve ngx_slab_alloc() error logging 2009-03-27 17:00:42 +00:00
Igor Sysoev
1f4220ee86 small optimization: " == NGX_ERROR" > " != NGX_OK" 2009-02-24 10:42:23 +00:00
Igor Sysoev
be63760fc5 load SSL engine before certificates, 
otherwise RSA keys will use built-in RSA methods
 2009-02-16 13:37:58 +00:00
Igor Sysoev
c9aae14a7e use "!= NGX_OK" instead of "== NGX_ERROR" 2008-12-09 17:27:48 +00:00
Igor Sysoev
1bf7dc1884 low some SSL handshake errors level 2008-11-18 16:05:00 +00:00
Igor Sysoev
a862c46ffa always use buffer, if connection is buffered, 
this fixes OpenSSL "bad write retry" error, when
*) nginx passed a single buf greater than our buffer (say 32K) to OpenSSL,
*) OpenSSL returns SSL_ERROR_WANT_WRITE,
*) after some time nginx has to send a new data,
*) so there are at least two bufs nginx does pass them directly to OpenSSL,
*) but copies the first buf part to buffer, and sends the buffer to OpenSSL.
*) because the data length is lesser than it was in previous SSL_write():
   16K < 32K, OpenSSL returns SSL_R_BAD_WRITE_RETRY.
 2008-10-23 05:58:10 +00:00
Igor Sysoev
a408b2ba2d backout both r2162 and r2128 and implement a new fix 2008-08-12 12:04:49 +00:00
Igor Sysoev
2ff9a4b334 SSL connection readiness is required for level-triggered events only, 
broken in r2128
 2008-08-11 15:25:40 +00:00
Igor Sysoev
ec0b579f75 update connection readiness after SSL handshake, 
this fixes mail proxy SSL connection hanging if level-triggered event is used
 2008-07-30 06:12:30 +00:00
Igor Sysoev
49ed6f3eec *) ssl_verify_client ask 
*) test ssl_client_certificate for ssl_verify_client
*) $ssl_client_cert adds TAB before each line except first one
*) $ssl_client_raw_cert contains certificate as is
 2008-07-29 14:29:02 +00:00
Igor Sysoev
da02ddc6fd fix "proxy_pass https://..." broken in r1427 2008-06-20 14:42:54 +00:00
Igor Sysoev
7f6b2ffc60 *) back out r2040 
*) refactor ngx_palloc()
*) introduce ngx_pnalloc()
*) additional pool blocks have smaller header
 2008-06-17 15:00:30 +00:00
Igor Sysoev
81f9c9dc72 $ssl_client_cert 2008-06-16 05:54:18 +00:00
Igor Sysoev
df83e6f81a DH parameters, ssl_dhparam 2008-06-16 05:51:32 +00:00
Igor Sysoev
d6548faf64 ssl_session_cache none 2008-05-26 07:14:13 +00:00
Igor Sysoev
396abff226 get certificate info only for debug build 2008-04-28 08:52:32 +00:00
Igor Sysoev
58d3821cf0 fix memory leak when ssl_verify_client is on 2008-04-28 08:50:39 +00:00
Igor Sysoev
439e288a1b fix memory leak when ssl_verify_client is on 2008-04-23 18:57:25 +00:00
Igor Sysoev
8da1fa935f low some SSL handshake errors level 2008-03-18 10:35:00 +00:00
Igor Sysoev
472233d0a3 invalidate SSL session if there is no valid client certificate 2008-03-10 14:47:07 +00:00
Igor Sysoev
704e1c1324 low SSL handshake close notify alert error level 2008-02-04 20:46:58 +00:00
Igor Sysoev
b1d4a6cc80 low SSL handshake errors level 2008-02-01 14:05:18 +00:00
Igor Sysoev
c20d3769bc backout r1757, we really need SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 2008-01-31 15:10:45 +00:00
Igor Sysoev
02d8e8e377 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN 2008-01-25 14:57:35 +00:00
Igor Sysoev
c783c35b5f pull all errors 2008-01-25 14:56:37 +00:00
Igor Sysoev
efe0016a11 fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 2008-01-22 16:04:35 +00:00
Igor Sysoev
8b99e3f1ea pull all errors 2008-01-10 08:45:00 +00:00
Igor Sysoev
e965c47113 grammar fix 2008-01-10 08:36:14 +00:00
Igor Sysoev
f25abef8dc fix segfault introduced in r1780 2007-12-27 18:35:52 +00:00
Igor Sysoev
cd2aa8e172 create ssl buffer on demand and free it before keep-alive 2007-12-26 21:07:30 +00:00
Igor Sysoev
6ff850baf8 ssl_session_cache off 2007-12-26 20:27:22 +00:00
Igor Sysoev
01a129d823 use ngx_queue.h 2007-12-20 21:01:00 +00:00
Igor Sysoev
181abe549f embed session_rbtree and sentinel inside ngx_ssl_session_cache_t 2007-12-20 20:35:23 +00:00
Igor Sysoev
0a0024bdb5 omit useless test 2007-12-20 20:30:45 +00:00
Igor Sysoev
711e9031fe use ngx_time() instead of ngx_timeofday() 2007-12-20 20:11:45 +00:00
Igor Sysoev
6675abe3b4 remove SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, we never need it, 
the "bad write retry" error was caused by SSL_shutdown() error
 2007-12-20 13:49:07 +00:00
Igor Sysoev
fc28270ac2 cleaning stale global SSL error 2007-12-20 13:04:20 +00:00
Igor Sysoev
94b3ea319b SSL_shutdown() never returns -1, on error it returns 0. 
This fixes incidental "bad write retry" errors.
 2007-12-20 12:59:05 +00:00
Igor Sysoev
7912e4ba5d optimize rbtree initialization and insert 2007-12-17 08:52:00 +00:00
Igor Sysoev
181a7141f9 style fix 2007-08-31 09:22:53 +00:00
Igor Sysoev
6fe1303fb5 do not set read->eof, ready, and error prematurely 2007-08-27 19:44:35 +00:00
Igor Sysoev
da69848428 mark connection as not ready, this fixes endless loop introduced in r1368 2007-08-27 15:01:08 +00:00
Igor Sysoev
83a6851b28 make 64-bit ngx_int_t on 64-bit platforms 2007-07-29 18:24:53 +00:00
Igor Sysoev
a1df416d65 --sysconfdir=DIR 2007-07-29 18:05:45 +00:00
Igor Sysoev
da8c05a5fd style fix 2007-05-23 18:28:54 +00:00
Igor Sysoev
70f65c4948 ngx_ssl_recv_chain() must not update buf->last, 
it fixes proxy_pass https://...
 2007-03-31 19:48:48 +00:00
Igor Sysoev
8c5edab7d3 style fix: remove trailing spaces 2007-01-18 19:40:31 +00:00
Igor Sysoev
ec3cabdcd9 ngx_strn2cmp() > ngx_memn2cmp() 2007-01-12 21:58:02 +00:00
Igor Sysoev
8785136a92 fix duplicate rbtree keys case 2007-01-12 20:57:34 +00:00
Igor Sysoev
6043c80639 style fix: remove tabs 2007-01-12 20:26:39 +00:00
Igor Sysoev
927666265d optimize the SSL session cache allocations on 64-bit platforms 2007-01-11 18:59:17 +00:00