mirror of
https://github.com/nginx/nginx.git
synced 2025-07-20 19:27:29 +08:00
0e29e08005
The ssl_certificate_compression directive allows to send compressed server certificates, which are pre-compressed on on nginx startup. To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option is automatically cleared if certificates were pre-compressed. SSL_CTX_compress_certs() may return an error in legitimate cases, e.g., when none of compression algorithms is available or if the resulting compressed size is larger than the original one, thus it is silently ignored. Certificate compression is supported in Chrome with brotli only, in Safari with zlib only, and in Firefox with all listed algorithms. It is supported since Ubuntu 24.10, which has OpenSSL with enabled zlib and zstd support. The actual list of algorithms supported in OpenSSL depends on how the library was configured; it can be brotli, zlib, zstd as listed in RFC 8879.
1485 lines
42 KiB
C
1485 lines
42 KiB
C
|
|
/*
|
|
* Copyright (C) Igor Sysoev
|
|
* Copyright (C) Nginx, Inc.
|
|
*/
|
|
|
|
|
|
#include <ngx_config.h>
|
|
#include <ngx_core.h>
|
|
#include <ngx_http.h>
|
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
#include <ngx_event_quic_openssl_compat.h>
|
|
#endif
|
|
|
|
|
|
typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
|
ngx_pool_t *pool, ngx_str_t *s);
|
|
|
|
|
|
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
|
|
#define NGX_DEFAULT_ECDH_CURVE "auto"
|
|
|
|
#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
|
|
|
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
|
static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
|
|
const unsigned char **out, unsigned char *outlen,
|
|
const unsigned char *in, unsigned int inlen, void *arg);
|
|
#endif
|
|
|
|
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
|
ngx_http_variable_value_t *v, uintptr_t data);
|
|
static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
|
|
ngx_http_variable_value_t *v, uintptr_t data);
|
|
|
|
static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
|
|
static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
|
|
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
|
|
void *parent, void *child);
|
|
|
|
static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
|
|
ngx_http_ssl_srv_conf_t *conf);
|
|
|
|
static char *ngx_http_ssl_certificate_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
void *conf);
|
|
static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
void *conf);
|
|
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
void *conf);
|
|
static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
void *conf);
|
|
|
|
static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
|
|
void *data);
|
|
|
|
static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf,
|
|
ngx_http_conf_addr_t *addr);
|
|
#endif
|
|
|
|
|
|
static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
|
|
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
|
|
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
|
|
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
|
|
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
|
|
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
|
|
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
|
|
{ ngx_null_string, 0 }
|
|
};
|
|
|
|
|
|
static ngx_conf_enum_t ngx_http_ssl_verify[] = {
|
|
{ ngx_string("off"), 0 },
|
|
{ ngx_string("on"), 1 },
|
|
{ ngx_string("optional"), 2 },
|
|
{ ngx_string("optional_no_ca"), 3 },
|
|
{ ngx_null_string, 0 }
|
|
};
|
|
|
|
|
|
static ngx_conf_enum_t ngx_http_ssl_ocsp[] = {
|
|
{ ngx_string("off"), 0 },
|
|
{ ngx_string("on"), 1 },
|
|
{ ngx_string("leaf"), 2 },
|
|
{ ngx_null_string, 0 }
|
|
};
|
|
|
|
|
|
static ngx_conf_post_t ngx_http_ssl_conf_command_post =
|
|
{ ngx_http_ssl_conf_command_check };
|
|
|
|
|
|
static ngx_command_t ngx_http_ssl_commands[] = {
|
|
|
|
{ ngx_string("ssl_certificate"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_array_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, certificates),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_certificate_key"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_array_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_certificate_cache"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE123,
|
|
ngx_http_ssl_certificate_cache,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
0,
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_password_file"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_http_ssl_password_file,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
0,
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_certificate_compression"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, certificate_compression),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_dhparam"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, dhparam),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_ecdh_curve"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_protocols"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
|
|
ngx_conf_set_bitmask_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, protocols),
|
|
&ngx_http_ssl_protocols },
|
|
|
|
{ ngx_string("ssl_ciphers"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, ciphers),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_buffer_size"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_size_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_verify_client"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_enum_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, verify),
|
|
&ngx_http_ssl_verify },
|
|
|
|
{ ngx_string("ssl_verify_depth"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_num_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_client_certificate"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_trusted_certificate"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_prefer_server_ciphers"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_session_cache"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
|
|
ngx_http_ssl_session_cache,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
0,
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_session_tickets"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_session_ticket_key"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_array_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_session_timeout"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_sec_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_crl"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, crl),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_ocsp"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_enum_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, ocsp),
|
|
&ngx_http_ssl_ocsp },
|
|
|
|
{ ngx_string("ssl_ocsp_responder"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_ocsp_cache"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_http_ssl_ocsp_cache,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
0,
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_stapling"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_stapling_file"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_stapling_responder"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
ngx_conf_set_str_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_stapling_verify"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_early_data"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, early_data),
|
|
NULL },
|
|
|
|
{ ngx_string("ssl_conf_command"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
|
|
ngx_conf_set_keyval_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
|
|
&ngx_http_ssl_conf_command_post },
|
|
|
|
{ ngx_string("ssl_reject_handshake"),
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
ngx_conf_set_flag_slot,
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
|
|
NULL },
|
|
|
|
ngx_null_command
|
|
};
|
|
|
|
|
|
static ngx_http_module_t ngx_http_ssl_module_ctx = {
|
|
ngx_http_ssl_add_variables, /* preconfiguration */
|
|
ngx_http_ssl_init, /* postconfiguration */
|
|
|
|
NULL, /* create main configuration */
|
|
NULL, /* init main configuration */
|
|
|
|
ngx_http_ssl_create_srv_conf, /* create server configuration */
|
|
ngx_http_ssl_merge_srv_conf, /* merge server configuration */
|
|
|
|
NULL, /* create location configuration */
|
|
NULL /* merge location configuration */
|
|
};
|
|
|
|
|
|
ngx_module_t ngx_http_ssl_module = {
|
|
NGX_MODULE_V1,
|
|
&ngx_http_ssl_module_ctx, /* module context */
|
|
ngx_http_ssl_commands, /* module directives */
|
|
NGX_HTTP_MODULE, /* module type */
|
|
NULL, /* init master */
|
|
NULL, /* init module */
|
|
NULL, /* init process */
|
|
NULL, /* init thread */
|
|
NULL, /* exit thread */
|
|
NULL, /* exit process */
|
|
NULL, /* exit master */
|
|
NGX_MODULE_V1_PADDING
|
|
};
|
|
|
|
|
|
static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|
|
|
{ ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
|
|
(uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
|
|
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_early_data,
|
|
NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_raw_certificate,
|
|
NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_escaped_certificate,
|
|
NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
|
|
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
ngx_http_null_variable
|
|
};
|
|
|
|
|
|
static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
|
|
|
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
|
|
|
static int
|
|
ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
|
|
unsigned char *outlen, const unsigned char *in, unsigned int inlen,
|
|
void *arg)
|
|
{
|
|
unsigned int srvlen;
|
|
unsigned char *srv;
|
|
#if (NGX_DEBUG)
|
|
unsigned int i;
|
|
#endif
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3)
|
|
ngx_http_connection_t *hc;
|
|
#endif
|
|
#if (NGX_HTTP_V2)
|
|
ngx_http_v2_srv_conf_t *h2scf;
|
|
#endif
|
|
#if (NGX_HTTP_V3)
|
|
ngx_http_v3_srv_conf_t *h3scf;
|
|
#endif
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG)
|
|
ngx_connection_t *c;
|
|
|
|
c = ngx_ssl_get_connection(ssl_conn);
|
|
#endif
|
|
|
|
#if (NGX_DEBUG)
|
|
for (i = 0; i < inlen; i += in[i] + 1) {
|
|
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
|
"SSL ALPN supported by client: %*s",
|
|
(size_t) in[i], &in[i + 1]);
|
|
}
|
|
#endif
|
|
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3)
|
|
hc = c->data;
|
|
#endif
|
|
|
|
#if (NGX_HTTP_V3)
|
|
if (hc->addr_conf->quic) {
|
|
|
|
h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);
|
|
|
|
if (h3scf->enable && h3scf->enable_hq) {
|
|
srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO
|
|
NGX_HTTP_V3_HQ_ALPN_PROTO;
|
|
srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO)
|
|
- 1;
|
|
|
|
} else if (h3scf->enable_hq) {
|
|
srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO;
|
|
srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1;
|
|
|
|
} else if (h3scf->enable) {
|
|
srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO;
|
|
srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1;
|
|
|
|
} else {
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
}
|
|
|
|
} else
|
|
#endif
|
|
{
|
|
#if (NGX_HTTP_V2)
|
|
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
|
|
|
|
if (h2scf->enable || hc->addr_conf->http2) {
|
|
srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
|
|
srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
|
|
|
|
} else
|
|
#endif
|
|
{
|
|
srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
|
|
srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
|
|
}
|
|
}
|
|
|
|
if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
|
|
in, inlen)
|
|
!= OPENSSL_NPN_NEGOTIATED)
|
|
{
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
}
|
|
|
|
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
|
"SSL ALPN selected: %*s", (size_t) *outlen, *out);
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
|
ngx_http_variable_value_t *v, uintptr_t data)
|
|
{
|
|
ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
|
|
|
|
size_t len;
|
|
ngx_str_t s;
|
|
|
|
if (r->connection->ssl) {
|
|
|
|
(void) handler(r->connection, NULL, &s);
|
|
|
|
v->data = s.data;
|
|
|
|
for (len = 0; v->data[len]; len++) { /* void */ }
|
|
|
|
v->len = len;
|
|
v->valid = 1;
|
|
v->no_cacheable = 0;
|
|
v->not_found = 0;
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
v->not_found = 1;
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
|
|
uintptr_t data)
|
|
{
|
|
ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
|
|
|
|
ngx_str_t s;
|
|
|
|
if (r->connection->ssl) {
|
|
|
|
if (handler(r->connection, r->pool, &s) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
v->len = s.len;
|
|
v->data = s.data;
|
|
|
|
if (v->len) {
|
|
v->valid = 1;
|
|
v->no_cacheable = 0;
|
|
v->not_found = 0;
|
|
|
|
return NGX_OK;
|
|
}
|
|
}
|
|
|
|
v->not_found = 1;
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_add_variables(ngx_conf_t *cf)
|
|
{
|
|
ngx_http_variable_t *var, *v;
|
|
|
|
for (v = ngx_http_ssl_vars; v->name.len; v++) {
|
|
var = ngx_http_add_variable(cf, &v->name, v->flags);
|
|
if (var == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
var->get_handler = v->get_handler;
|
|
var->data = v->data;
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static void *
|
|
ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *sscf;
|
|
|
|
sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
|
|
if (sscf == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* set by ngx_pcalloc():
|
|
*
|
|
* sscf->protocols = 0;
|
|
* sscf->certificate_values = NULL;
|
|
* sscf->dhparam = { 0, NULL };
|
|
* sscf->ecdh_curve = { 0, NULL };
|
|
* sscf->client_certificate = { 0, NULL };
|
|
* sscf->trusted_certificate = { 0, NULL };
|
|
* sscf->crl = { 0, NULL };
|
|
* sscf->ciphers = { 0, NULL };
|
|
* sscf->shm_zone = NULL;
|
|
* sscf->ocsp_responder = { 0, NULL };
|
|
* sscf->stapling_file = { 0, NULL };
|
|
* sscf->stapling_responder = { 0, NULL };
|
|
*/
|
|
|
|
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
|
sscf->certificate_compression = NGX_CONF_UNSET;
|
|
sscf->early_data = NGX_CONF_UNSET;
|
|
sscf->reject_handshake = NGX_CONF_UNSET;
|
|
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
|
|
sscf->verify = NGX_CONF_UNSET_UINT;
|
|
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
|
sscf->certificates = NGX_CONF_UNSET_PTR;
|
|
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
|
|
sscf->certificate_cache = NGX_CONF_UNSET_PTR;
|
|
sscf->passwords = NGX_CONF_UNSET_PTR;
|
|
sscf->conf_commands = NGX_CONF_UNSET_PTR;
|
|
sscf->builtin_session_cache = NGX_CONF_UNSET;
|
|
sscf->session_timeout = NGX_CONF_UNSET;
|
|
sscf->session_tickets = NGX_CONF_UNSET;
|
|
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
|
|
sscf->ocsp = NGX_CONF_UNSET_UINT;
|
|
sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
|
|
sscf->stapling = NGX_CONF_UNSET;
|
|
sscf->stapling_verify = NGX_CONF_UNSET;
|
|
|
|
return sscf;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *prev = parent;
|
|
ngx_http_ssl_srv_conf_t *conf = child;
|
|
|
|
ngx_pool_cleanup_t *cln;
|
|
|
|
ngx_conf_merge_value(conf->session_timeout,
|
|
prev->session_timeout, 300);
|
|
|
|
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
|
prev->prefer_server_ciphers, 0);
|
|
|
|
ngx_conf_merge_value(conf->certificate_compression,
|
|
prev->certificate_compression, 0);
|
|
|
|
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
|
|
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
|
|
|
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
|
(NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));
|
|
|
|
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
|
|
NGX_SSL_BUFSIZE);
|
|
|
|
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
|
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|
|
|
|
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
|
|
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
|
|
NULL);
|
|
|
|
ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
|
|
NULL);
|
|
|
|
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
|
|
|
|
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
|
|
|
|
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
|
|
"");
|
|
ngx_conf_merge_str_value(conf->trusted_certificate,
|
|
prev->trusted_certificate, "");
|
|
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
|
|
|
|
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
|
|
NGX_DEFAULT_ECDH_CURVE);
|
|
|
|
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
|
|
|
|
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
|
|
|
ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
|
|
ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
|
|
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
|
|
prev->ocsp_cache_zone, NULL);
|
|
|
|
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
|
|
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
|
|
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
|
|
ngx_conf_merge_str_value(conf->stapling_responder,
|
|
prev->stapling_responder, "");
|
|
|
|
conf->ssl.log = cf->log;
|
|
|
|
if (conf->certificates) {
|
|
|
|
if (conf->certificate_keys == NULL
|
|
|| conf->certificate_keys->nelts < conf->certificates->nelts)
|
|
{
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"no \"ssl_certificate_key\" is defined "
|
|
"for certificate \"%V\"",
|
|
((ngx_str_t *) conf->certificates->elts)
|
|
+ conf->certificates->nelts - 1);
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
} else if (!conf->reject_handshake) {
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
cln = ngx_pool_cleanup_add(cf->pool, 0);
|
|
if (cln == NULL) {
|
|
ngx_ssl_cleanup_ctx(&conf->ssl);
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
cln->handler = ngx_ssl_cleanup_ctx;
|
|
cln->data = &conf->ssl;
|
|
|
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|
|
|
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
|
ngx_http_ssl_servername)
|
|
== 0)
|
|
{
|
|
ngx_log_error(NGX_LOG_WARN, cf->log, 0,
|
|
"nginx was built with SNI support, however, now it is linked "
|
|
"dynamically to an OpenSSL library which has no tlsext support, "
|
|
"therefore SNI is not available");
|
|
}
|
|
|
|
#endif
|
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
|
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
|
|
#endif
|
|
|
|
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
|
|
conf->prefer_server_ciphers)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (conf->certificate_values) {
|
|
|
|
#ifdef SSL_R_CERT_CB_ERROR
|
|
|
|
/* install callback to lookup certificates */
|
|
|
|
SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);
|
|
|
|
#else
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"variables in "
|
|
"\"ssl_certificate\" and \"ssl_certificate_key\" "
|
|
"directives are not supported on this platform");
|
|
return NGX_CONF_ERROR;
|
|
#endif
|
|
|
|
} else if (conf->certificates) {
|
|
|
|
/* configure certificates */
|
|
|
|
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
|
conf->certificate_keys, conf->passwords)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_certificate_compression(cf, &conf->ssl,
|
|
conf->certificate_compression)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
}
|
|
|
|
conf->ssl.buffer_size = conf->buffer_size;
|
|
|
|
if (conf->verify) {
|
|
|
|
if (conf->verify != 3
|
|
&& conf->client_certificate.len == 0
|
|
&& conf->trusted_certificate.len == 0)
|
|
{
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"no ssl_client_certificate or "
|
|
"ssl_trusted_certificate for ssl_verify_client");
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_client_certificate(cf, &conf->ssl,
|
|
&conf->client_certificate,
|
|
conf->verify_depth)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
}
|
|
|
|
if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
|
|
&conf->trusted_certificate,
|
|
conf->verify_depth)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (conf->ocsp) {
|
|
|
|
if (conf->verify == 3) {
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"\"ssl_ocsp\" is incompatible with "
|
|
"\"ssl_verify_client optional_no_ca\"");
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp,
|
|
conf->ocsp_cache_zone)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
}
|
|
|
|
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
ngx_conf_merge_value(conf->builtin_session_cache,
|
|
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
|
|
|
|
if (conf->shm_zone == NULL) {
|
|
conf->shm_zone = prev->shm_zone;
|
|
}
|
|
|
|
if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
|
|
conf->certificates, conf->builtin_session_cache,
|
|
conf->shm_zone, conf->session_timeout)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);
|
|
|
|
#ifdef SSL_OP_NO_TICKET
|
|
if (!conf->session_tickets) {
|
|
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
|
|
}
|
|
#endif
|
|
|
|
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
|
|
prev->session_ticket_keys, NULL);
|
|
|
|
if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (conf->stapling) {
|
|
|
|
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
|
|
&conf->stapling_responder, conf->stapling_verify)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
}
|
|
|
|
if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
|
|
ngx_http_ssl_srv_conf_t *conf)
|
|
{
|
|
ngx_str_t *cert, *key;
|
|
ngx_uint_t i, nelts;
|
|
ngx_http_complex_value_t *cv;
|
|
ngx_http_compile_complex_value_t ccv;
|
|
|
|
if (conf->certificates == NULL) {
|
|
return NGX_OK;
|
|
}
|
|
|
|
cert = conf->certificates->elts;
|
|
key = conf->certificate_keys->elts;
|
|
nelts = conf->certificates->nelts;
|
|
|
|
for (i = 0; i < nelts; i++) {
|
|
|
|
if (ngx_http_script_variables_count(&cert[i])) {
|
|
goto found;
|
|
}
|
|
|
|
if (ngx_http_script_variables_count(&key[i])) {
|
|
goto found;
|
|
}
|
|
}
|
|
|
|
return NGX_OK;
|
|
|
|
found:
|
|
|
|
conf->certificate_values = ngx_array_create(cf->pool, nelts,
|
|
sizeof(ngx_http_complex_value_t));
|
|
if (conf->certificate_values == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
|
|
sizeof(ngx_http_complex_value_t));
|
|
if (conf->certificate_key_values == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
for (i = 0; i < nelts; i++) {
|
|
|
|
cv = ngx_array_push(conf->certificate_values);
|
|
if (cv == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
|
|
|
|
ccv.cf = cf;
|
|
ccv.value = &cert[i];
|
|
ccv.complex_value = cv;
|
|
ccv.zero = 1;
|
|
|
|
if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
cv = ngx_array_push(conf->certificate_key_values);
|
|
if (cv == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
|
|
|
|
ccv.cf = cf;
|
|
ccv.value = &key[i];
|
|
ccv.complex_value = cv;
|
|
ccv.zero = 1;
|
|
|
|
if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
|
|
conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
|
|
if (conf->passwords == NULL) {
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_certificate_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
time_t inactive, valid;
|
|
ngx_str_t *value, s;
|
|
ngx_int_t max;
|
|
ngx_uint_t i;
|
|
|
|
if (sscf->certificate_cache != NGX_CONF_UNSET_PTR) {
|
|
return "is duplicate";
|
|
}
|
|
|
|
value = cf->args->elts;
|
|
|
|
max = 0;
|
|
inactive = 10;
|
|
valid = 60;
|
|
|
|
for (i = 1; i < cf->args->nelts; i++) {
|
|
|
|
if (ngx_strncmp(value[i].data, "max=", 4) == 0) {
|
|
|
|
max = ngx_atoi(value[i].data + 4, value[i].len - 4);
|
|
if (max <= 0) {
|
|
goto failed;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
if (ngx_strncmp(value[i].data, "inactive=", 9) == 0) {
|
|
|
|
s.len = value[i].len - 9;
|
|
s.data = value[i].data + 9;
|
|
|
|
inactive = ngx_parse_time(&s, 1);
|
|
if (inactive == (time_t) NGX_ERROR) {
|
|
goto failed;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
if (ngx_strncmp(value[i].data, "valid=", 6) == 0) {
|
|
|
|
s.len = value[i].len - 6;
|
|
s.data = value[i].data + 6;
|
|
|
|
valid = ngx_parse_time(&s, 1);
|
|
if (valid == (time_t) NGX_ERROR) {
|
|
goto failed;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
if (ngx_strcmp(value[i].data, "off") == 0) {
|
|
|
|
sscf->certificate_cache = NULL;
|
|
|
|
continue;
|
|
}
|
|
|
|
failed:
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"invalid parameter \"%V\"", &value[i]);
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
if (sscf->certificate_cache == NULL) {
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
if (max == 0) {
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"\"ssl_certificate_cache\" must have "
|
|
"the \"max\" parameter");
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
sscf->certificate_cache = ngx_ssl_cache_init(cf->pool, max, valid,
|
|
inactive);
|
|
if (sscf->certificate_cache == NULL) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
ngx_str_t *value;
|
|
|
|
if (sscf->passwords != NGX_CONF_UNSET_PTR) {
|
|
return "is duplicate";
|
|
}
|
|
|
|
value = cf->args->elts;
|
|
|
|
sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
|
|
|
|
if (sscf->passwords == NULL) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
size_t len;
|
|
ngx_str_t *value, name, size;
|
|
ngx_int_t n;
|
|
ngx_uint_t i, j;
|
|
|
|
value = cf->args->elts;
|
|
|
|
for (i = 1; i < cf->args->nelts; i++) {
|
|
|
|
if (ngx_strcmp(value[i].data, "off") == 0) {
|
|
sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
|
|
continue;
|
|
}
|
|
|
|
if (ngx_strcmp(value[i].data, "none") == 0) {
|
|
sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
|
|
continue;
|
|
}
|
|
|
|
if (ngx_strcmp(value[i].data, "builtin") == 0) {
|
|
sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
|
|
continue;
|
|
}
|
|
|
|
if (value[i].len > sizeof("builtin:") - 1
|
|
&& ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
|
|
== 0)
|
|
{
|
|
n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
|
|
value[i].len - (sizeof("builtin:") - 1));
|
|
|
|
if (n == NGX_ERROR) {
|
|
goto invalid;
|
|
}
|
|
|
|
sscf->builtin_session_cache = n;
|
|
|
|
continue;
|
|
}
|
|
|
|
if (value[i].len > sizeof("shared:") - 1
|
|
&& ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
|
|
== 0)
|
|
{
|
|
len = 0;
|
|
|
|
for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
|
|
if (value[i].data[j] == ':') {
|
|
break;
|
|
}
|
|
|
|
len++;
|
|
}
|
|
|
|
if (len == 0 || j == value[i].len) {
|
|
goto invalid;
|
|
}
|
|
|
|
name.len = len;
|
|
name.data = value[i].data + sizeof("shared:") - 1;
|
|
|
|
size.len = value[i].len - j - 1;
|
|
size.data = name.data + len + 1;
|
|
|
|
n = ngx_parse_size(&size);
|
|
|
|
if (n == NGX_ERROR) {
|
|
goto invalid;
|
|
}
|
|
|
|
if (n < (ngx_int_t) (8 * ngx_pagesize)) {
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"session cache \"%V\" is too small",
|
|
&value[i]);
|
|
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
|
|
&ngx_http_ssl_module);
|
|
if (sscf->shm_zone == NULL) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
sscf->shm_zone->init = ngx_ssl_session_cache_init;
|
|
|
|
continue;
|
|
}
|
|
|
|
goto invalid;
|
|
}
|
|
|
|
if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
|
|
sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
|
|
}
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
invalid:
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"invalid session cache \"%V\"", &value[i]);
|
|
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
{
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
size_t len;
|
|
ngx_int_t n;
|
|
ngx_str_t *value, name, size;
|
|
ngx_uint_t j;
|
|
|
|
if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) {
|
|
return "is duplicate";
|
|
}
|
|
|
|
value = cf->args->elts;
|
|
|
|
if (ngx_strcmp(value[1].data, "off") == 0) {
|
|
sscf->ocsp_cache_zone = NULL;
|
|
return NGX_CONF_OK;
|
|
}
|
|
|
|
if (value[1].len <= sizeof("shared:") - 1
|
|
|| ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0)
|
|
{
|
|
goto invalid;
|
|
}
|
|
|
|
len = 0;
|
|
|
|
for (j = sizeof("shared:") - 1; j < value[1].len; j++) {
|
|
if (value[1].data[j] == ':') {
|
|
break;
|
|
}
|
|
|
|
len++;
|
|
}
|
|
|
|
if (len == 0 || j == value[1].len) {
|
|
goto invalid;
|
|
}
|
|
|
|
name.len = len;
|
|
name.data = value[1].data + sizeof("shared:") - 1;
|
|
|
|
size.len = value[1].len - j - 1;
|
|
size.data = name.data + len + 1;
|
|
|
|
n = ngx_parse_size(&size);
|
|
|
|
if (n == NGX_ERROR) {
|
|
goto invalid;
|
|
}
|
|
|
|
if (n < (ngx_int_t) (8 * ngx_pagesize)) {
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"OCSP cache \"%V\" is too small", &value[1]);
|
|
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n,
|
|
&ngx_http_ssl_module_ctx);
|
|
if (sscf->ocsp_cache_zone == NULL) {
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init;
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
invalid:
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
"invalid OCSP cache \"%V\"", &value[1]);
|
|
|
|
return NGX_CONF_ERROR;
|
|
}
|
|
|
|
|
|
static char *
|
|
ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
|
{
|
|
#ifndef SSL_CONF_FLAG_FILE
|
|
return "is not supported on this platform";
|
|
#else
|
|
return NGX_CONF_OK;
|
|
#endif
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_init(ngx_conf_t *cf)
|
|
{
|
|
ngx_uint_t a, p, s;
|
|
const char *name;
|
|
ngx_http_conf_addr_t *addr;
|
|
ngx_http_conf_port_t *port;
|
|
ngx_http_ssl_srv_conf_t *sscf;
|
|
ngx_http_core_loc_conf_t *clcf;
|
|
ngx_http_core_srv_conf_t **cscfp, *cscf;
|
|
ngx_http_core_main_conf_t *cmcf;
|
|
|
|
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
|
cscfp = cmcf->servers.elts;
|
|
|
|
for (s = 0; s < cmcf->servers.nelts; s++) {
|
|
|
|
sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
if (sscf->ssl.ctx == NULL) {
|
|
continue;
|
|
}
|
|
|
|
clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
|
|
|
|
if (sscf->stapling) {
|
|
if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
|
|
clcf->resolver_timeout)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
|
|
if (sscf->ocsp) {
|
|
if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver,
|
|
clcf->resolver_timeout)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (cmcf->ports == NULL) {
|
|
return NGX_OK;
|
|
}
|
|
|
|
port = cmcf->ports->elts;
|
|
for (p = 0; p < cmcf->ports->nelts; p++) {
|
|
|
|
addr = port[p].addrs.elts;
|
|
for (a = 0; a < port[p].addrs.nelts; a++) {
|
|
|
|
if (!addr[a].opt.ssl && !addr[a].opt.quic) {
|
|
continue;
|
|
}
|
|
|
|
if (addr[a].opt.quic) {
|
|
name = "quic";
|
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
#endif
|
|
|
|
} else {
|
|
name = "ssl";
|
|
}
|
|
|
|
cscf = addr[a].default_server;
|
|
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
if (sscf->certificates) {
|
|
|
|
if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) {
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"\"ssl_protocols\" must enable TLSv1.3 for "
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
name, cscf->file_name, cscf->line);
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
if (!sscf->reject_handshake) {
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"no \"ssl_certificate\" is defined for "
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
name, cscf->file_name, cscf->line);
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
/*
|
|
* if no certificates are defined in the default server,
|
|
* check all non-default server blocks
|
|
*/
|
|
|
|
cscfp = addr[a].servers.elts;
|
|
for (s = 0; s < addr[a].servers.nelts; s++) {
|
|
|
|
cscf = cscfp[s];
|
|
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
if (sscf->certificates || sscf->reject_handshake) {
|
|
continue;
|
|
}
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"no \"ssl_certificate\" is defined for "
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
name, cscf->file_name, cscf->line);
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
|
|
static ngx_int_t
|
|
ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr)
|
|
{
|
|
ngx_uint_t s;
|
|
ngx_http_ssl_srv_conf_t *sscf;
|
|
ngx_http_core_srv_conf_t **cscfp, *cscf;
|
|
|
|
cscfp = addr->servers.elts;
|
|
for (s = 0; s < addr->servers.nelts; s++) {
|
|
|
|
cscf = cscfp[s];
|
|
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
if (sscf->certificates || sscf->reject_handshake) {
|
|
if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
#endif
|