One Level Up Top Level

src/http/modules/ngx_http_ssl_module.c - nginx-1.7.10

Global variables defined

Data types defined

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Igor Sysoev
  4. * Copyright (C) Nginx, Inc.
  5. */


  8. #include <ngx_config.h>
  9. #include <ngx_core.h>
  10. #include <ngx_http.h>


  13. typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
  14.     ngx_pool_t *pool, ngx_str_t *s);


  17. #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
  18. #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"

  20. #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"


  23. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  24. static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
  25.     const unsigned char **out, unsigned char *outlen,
  26.     const unsigned char *in, unsigned int inlen, void *arg);
  27. #endif

  29. #ifdef TLSEXT_TYPE_next_proto_neg
  30. static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
  31.     const unsigned char **out, unsigned int *outlen, void *arg);
  32. #endif

  34. static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
  35.     ngx_http_variable_value_t *v, uintptr_t data);
  36. static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
  37.     ngx_http_variable_value_t *v, uintptr_t data);

  39. static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
  40. static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
  41. static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
  42.     void *parent, void *child);

  44. static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
  45.     void *conf);
  46. static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
  47.     void *conf);
  48. static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  49.     void *conf);

  51. static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);


  54. static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
  55.     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
  56.     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
  57.     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
  58.     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
  59.     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
  60.     { ngx_null_string, 0 }
  61. };


  64. static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
  65.     { ngx_string("off"), 0 },
  66.     { ngx_string("on"), 1 },
  67.     { ngx_string("optional"), 2 },
  68.     { ngx_string("optional_no_ca"), 3 },
  69.     { ngx_null_string, 0 }
  70. };


  73. static ngx_command_t  ngx_http_ssl_commands[] = {

  75.     { ngx_string("ssl"),
  76.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  77.       ngx_http_ssl_enable,
  78.       NGX_HTTP_SRV_CONF_OFFSET,
  79.       offsetof(ngx_http_ssl_srv_conf_t, enable),
  80.       NULL },

  82.     { ngx_string("ssl_certificate"),
  83.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  84.       ngx_conf_set_str_slot,
  85.       NGX_HTTP_SRV_CONF_OFFSET,
  86.       offsetof(ngx_http_ssl_srv_conf_t, certificate),
  87.       NULL },

  89.     { ngx_string("ssl_certificate_key"),
  90.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  91.       ngx_conf_set_str_slot,
  92.       NGX_HTTP_SRV_CONF_OFFSET,
  93.       offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
  94.       NULL },

  96.     { ngx_string("ssl_password_file"),
  97.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  98.       ngx_http_ssl_password_file,
  99.       NGX_HTTP_SRV_CONF_OFFSET,
  100.       0,
  101.       NULL },

  103.     { ngx_string("ssl_dhparam"),
  104.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  105.       ngx_conf_set_str_slot,
  106.       NGX_HTTP_SRV_CONF_OFFSET,
  107.       offsetof(ngx_http_ssl_srv_conf_t, dhparam),
  108.       NULL },

  110.     { ngx_string("ssl_ecdh_curve"),
  111.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  112.       ngx_conf_set_str_slot,
  113.       NGX_HTTP_SRV_CONF_OFFSET,
  114.       offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
  115.       NULL },

  117.     { ngx_string("ssl_protocols"),
  118.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
  119.       ngx_conf_set_bitmask_slot,
  120.       NGX_HTTP_SRV_CONF_OFFSET,
  121.       offsetof(ngx_http_ssl_srv_conf_t, protocols),
  122.       &ngx_http_ssl_protocols },

  124.     { ngx_string("ssl_ciphers"),
  125.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  126.       ngx_conf_set_str_slot,
  127.       NGX_HTTP_SRV_CONF_OFFSET,
  128.       offsetof(ngx_http_ssl_srv_conf_t, ciphers),
  129.       NULL },

  131.     { ngx_string("ssl_buffer_size"),
  132.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  133.       ngx_conf_set_size_slot,
  134.       NGX_HTTP_SRV_CONF_OFFSET,
  135.       offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
  136.       NULL },

  138.     { ngx_string("ssl_verify_client"),
  139.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  140.       ngx_conf_set_enum_slot,
  141.       NGX_HTTP_SRV_CONF_OFFSET,
  142.       offsetof(ngx_http_ssl_srv_conf_t, verify),
  143.       &ngx_http_ssl_verify },

  145.     { ngx_string("ssl_verify_depth"),
  146.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  147.       ngx_conf_set_num_slot,
  148.       NGX_HTTP_SRV_CONF_OFFSET,
  149.       offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
  150.       NULL },

  152.     { ngx_string("ssl_client_certificate"),
  153.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  154.       ngx_conf_set_str_slot,
  155.       NGX_HTTP_SRV_CONF_OFFSET,
  156.       offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
  157.       NULL },

  159.     { ngx_string("ssl_trusted_certificate"),
  160.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  161.       ngx_conf_set_str_slot,
  162.       NGX_HTTP_SRV_CONF_OFFSET,
  163.       offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
  164.       NULL },

  166.     { ngx_string("ssl_prefer_server_ciphers"),
  167.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  168.       ngx_conf_set_flag_slot,
  169.       NGX_HTTP_SRV_CONF_OFFSET,
  170.       offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
  171.       NULL },

  173.     { ngx_string("ssl_session_cache"),
  174.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
  175.       ngx_http_ssl_session_cache,
  176.       NGX_HTTP_SRV_CONF_OFFSET,
  177.       0,
  178.       NULL },

  180.     { ngx_string("ssl_session_tickets"),
  181.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  182.       ngx_conf_set_flag_slot,
  183.       NGX_HTTP_SRV_CONF_OFFSET,
  184.       offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
  185.       NULL },

  187.     { ngx_string("ssl_session_ticket_key"),
  188.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  189.       ngx_conf_set_str_array_slot,
  190.       NGX_HTTP_SRV_CONF_OFFSET,
  191.       offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
  192.       NULL },

  194.     { ngx_string("ssl_session_timeout"),
  195.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  196.       ngx_conf_set_sec_slot,
  197.       NGX_HTTP_SRV_CONF_OFFSET,
  198.       offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
  199.       NULL },

  201.     { ngx_string("ssl_crl"),
  202.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  203.       ngx_conf_set_str_slot,
  204.       NGX_HTTP_SRV_CONF_OFFSET,
  205.       offsetof(ngx_http_ssl_srv_conf_t, crl),
  206.       NULL },

  208.     { ngx_string("ssl_stapling"),
  209.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  210.       ngx_conf_set_flag_slot,
  211.       NGX_HTTP_SRV_CONF_OFFSET,
  212.       offsetof(ngx_http_ssl_srv_conf_t, stapling),
  213.       NULL },

  215.     { ngx_string("ssl_stapling_file"),
  216.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  217.       ngx_conf_set_str_slot,
  218.       NGX_HTTP_SRV_CONF_OFFSET,
  219.       offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
  220.       NULL },

  222.     { ngx_string("ssl_stapling_responder"),
  223.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  224.       ngx_conf_set_str_slot,
  225.       NGX_HTTP_SRV_CONF_OFFSET,
  226.       offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
  227.       NULL },

  229.     { ngx_string("ssl_stapling_verify"),
  230.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  231.       ngx_conf_set_flag_slot,
  232.       NGX_HTTP_SRV_CONF_OFFSET,
  233.       offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
  234.       NULL },

  236.       ngx_null_command
  237. };


  240. static ngx_http_module_t  ngx_http_ssl_module_ctx = {
  241.     ngx_http_ssl_add_variables,            /* preconfiguration */
  242.     ngx_http_ssl_init,                     /* postconfiguration */

  244.     NULL,                                  /* create main configuration */
  245.     NULL,                                  /* init main configuration */

  247.     ngx_http_ssl_create_srv_conf,          /* create server configuration */
  248.     ngx_http_ssl_merge_srv_conf,           /* merge server configuration */

  250.     NULL,                                  /* create location configuration */
  251.     NULL                                   /* merge location configuration */
  252. };


  255. ngx_module_t  ngx_http_ssl_module = {
  256.     NGX_MODULE_V1,
  257.     &ngx_http_ssl_module_ctx,              /* module context */
  258.     ngx_http_ssl_commands,                 /* module directives */
  259.     NGX_HTTP_MODULE,                       /* module type */
  260.     NULL,                                  /* init master */
  261.     NULL,                                  /* init module */
  262.     NULL,                                  /* init process */
  263.     NULL,                                  /* init thread */
  264.     NULL,                                  /* exit thread */
  265.     NULL,                                  /* exit process */
  266.     NULL,                                  /* exit master */
  267.     NGX_MODULE_V1_PADDING
  268. };


  271. static ngx_http_variable_t  ngx_http_ssl_vars[] = {

  273.     { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
  274.       (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },

  276.     { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
  277.       (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },

  279.     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
  280.       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

  282.     { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
  283.       (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },

  285.     { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
  286.       (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },

  288.     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
  289.       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },

  291.     { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
  292.       (uintptr_t) ngx_ssl_get_raw_certificate,
  293.       NGX_HTTP_VAR_CHANGEABLE, 0 },

  295.     { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
  296.       (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },

  298.     { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
  299.       (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },

  301.     { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
  302.       (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },

  304.     { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
  305.       (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },

  307.     { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
  308.       (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },

  310.     { ngx_null_string, NULL, NULL, 0, 0, 0 }
  311. };


  314. static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");


  317. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation

  319. static int
  320. ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
  321.     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
  322.     void *arg)
  323. {
  324.     unsigned int            srvlen;
  325.     unsigned char          *srv;
  326. #if (NGX_DEBUG)
  327.     unsigned int            i;
  328. #endif
  329. #if (NGX_HTTP_SPDY)
  330.     ngx_http_connection_t  *hc;
  331. #endif
  332. #if (NGX_HTTP_SPDY || NGX_DEBUG)
  333.     ngx_connection_t       *c;

  335.     c = ngx_ssl_get_connection(ssl_conn);
  336. #endif

  338. #if (NGX_DEBUG)
  339.     for (i = 0; i < inlen; i += in[i] + 1) {
  340.          ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
  341.                         "SSL ALPN supported by client: %*s", in[i], &in[i + 1]);
  342.     }
  343. #endif

  345. #if (NGX_HTTP_SPDY)
  346.     hc = c->data;

  348.     if (hc->addr_conf->spdy) {
  349.         srv = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
  350.         srvlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;

  352.     } else
  353. #endif
  354.     {
  355.         srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
  356.         srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
  357.     }

  359.     if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
  360.                               in, inlen)
  361.         != OPENSSL_NPN_NEGOTIATED)
  362.     {
  363.         return SSL_TLSEXT_ERR_NOACK;
  364.     }

  366.     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
  367.                    "SSL ALPN selected: %*s", *outlen, *out);

  369.     return SSL_TLSEXT_ERR_OK;
  370. }

  372. #endif


  375. #ifdef TLSEXT_TYPE_next_proto_neg

  377. static int
  378. ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
  379.     const unsigned char **out, unsigned int *outlen, void *arg)
  380. {
  381. #if (NGX_HTTP_SPDY || NGX_DEBUG)
  382.     ngx_connection_t  *c;

  384.     c = ngx_ssl_get_connection(ssl_conn);
  385.     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
  386. #endif

  388. #if (NGX_HTTP_SPDY)
  389.     {
  390.     ngx_http_connection_t  *hc;

  392.     hc = c->data;

  394.     if (hc->addr_conf->spdy) {
  395.         *out = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
  396.         *outlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;

  398.         return SSL_TLSEXT_ERR_OK;
  399.     }
  400.     }
  401. #endif

  403.     *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
  404.     *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;

  406.     return SSL_TLSEXT_ERR_OK;
  407. }

  409. #endif


  412. static ngx_int_t
  413. ngx_http_ssl_static_variable(ngx_http_request_t *r,
  414.     ngx_http_variable_value_t *v, uintptr_t data)
  415. {
  416.     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;

  418.     size_t     len;
  419.     ngx_str_t  s;

  421.     if (r->connection->ssl) {

  423.         (void) handler(r->connection, NULL, &s);

  425.         v->data = s.data;

  427.         for (len = 0; v->data[len]; len++) { /* void */ }

  429.         v->len = len;
  430.         v->valid = 1;
  431.         v->no_cacheable = 0;
  432.         v->not_found = 0;

  434.         return NGX_OK;
  435.     }

  437.     v->not_found = 1;

  439.     return NGX_OK;
  440. }


  443. static ngx_int_t
  444. ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
  445.     uintptr_t data)
  446. {
  447.     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;

  449.     ngx_str_t  s;

  451.     if (r->connection->ssl) {

  453.         if (handler(r->connection, r->pool, &s) != NGX_OK) {
  454.             return NGX_ERROR;
  455.         }

  457.         v->len = s.len;
  458.         v->data = s.data;

  460.         if (v->len) {
  461.             v->valid = 1;
  462.             v->no_cacheable = 0;
  463.             v->not_found = 0;

  465.             return NGX_OK;
  466.         }
  467.     }

  469.     v->not_found = 1;

  471.     return NGX_OK;
  472. }


  475. static ngx_int_t
  476. ngx_http_ssl_add_variables(ngx_conf_t *cf)
  477. {
  478.     ngx_http_variable_t  *var, *v;

  480.     for (v = ngx_http_ssl_vars; v->name.len; v++) {
  481.         var = ngx_http_add_variable(cf, &v->name, v->flags);
  482.         if (var == NULL) {
  483.             return NGX_ERROR;
  484.         }

  486.         var->get_handler = v->get_handler;
  487.         var->data = v->data;
  488.     }

  490.     return NGX_OK;
  491. }


  494. static void *
  495. ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
  496. {
  497.     ngx_http_ssl_srv_conf_t  *sscf;

  499.     sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
  500.     if (sscf == NULL) {
  501.         return NULL;
  502.     }

  504.     /*
  505.      * set by ngx_pcalloc():
  506.      *
  507.      *     sscf->protocols = 0;
  508.      *     sscf->certificate = { 0, NULL };
  509.      *     sscf->certificate_key = { 0, NULL };
  510.      *     sscf->dhparam = { 0, NULL };
  511.      *     sscf->ecdh_curve = { 0, NULL };
  512.      *     sscf->client_certificate = { 0, NULL };
  513.      *     sscf->trusted_certificate = { 0, NULL };
  514.      *     sscf->crl = { 0, NULL };
  515.      *     sscf->ciphers = { 0, NULL };
  516.      *     sscf->shm_zone = NULL;
  517.      *     sscf->stapling_file = { 0, NULL };
  518.      *     sscf->stapling_responder = { 0, NULL };
  519.      */

  521.     sscf->enable = NGX_CONF_UNSET;
  522.     sscf->prefer_server_ciphers = NGX_CONF_UNSET;
  523.     sscf->buffer_size = NGX_CONF_UNSET_SIZE;
  524.     sscf->verify = NGX_CONF_UNSET_UINT;
  525.     sscf->verify_depth = NGX_CONF_UNSET_UINT;
  526.     sscf->passwords = NGX_CONF_UNSET_PTR;
  527.     sscf->builtin_session_cache = NGX_CONF_UNSET;
  528.     sscf->session_timeout = NGX_CONF_UNSET;
  529.     sscf->session_tickets = NGX_CONF_UNSET;
  530.     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
  531.     sscf->stapling = NGX_CONF_UNSET;
  532.     sscf->stapling_verify = NGX_CONF_UNSET;

  534.     return sscf;
  535. }


  538. static char *
  539. ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
  540. {
  541.     ngx_http_ssl_srv_conf_t *prev = parent;
  542.     ngx_http_ssl_srv_conf_t *conf = child;

  544.     ngx_pool_cleanup_t  *cln;

  546.     if (conf->enable == NGX_CONF_UNSET) {
  547.         if (prev->enable == NGX_CONF_UNSET) {
  548.             conf->enable = 0;

  550.         } else {
  551.             conf->enable = prev->enable;
  552.             conf->file = prev->file;
  553.             conf->line = prev->line;
  554.         }
  555.     }

  557.     ngx_conf_merge_value(conf->session_timeout,
  558.                          prev->session_timeout, 300);

  560.     ngx_conf_merge_value(conf->prefer_server_ciphers,
  561.                          prev->prefer_server_ciphers, 0);

  563.     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
  564.                          (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
  565.                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));

  567.     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
  568.                          NGX_SSL_BUFSIZE);

  570.     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
  571.     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

  573.     ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
  574.     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");

  576.     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

  578.     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

  580.     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
  581.                          "");
  582.     ngx_conf_merge_str_value(conf->trusted_certificate,
  583.                          prev->trusted_certificate, "");
  584.     ngx_conf_merge_str_value(conf->crl, prev->crl, "");

  586.     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
  587.                          NGX_DEFAULT_ECDH_CURVE);

  589.     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);

  591.     ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
  592.     ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
  593.     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
  594.     ngx_conf_merge_str_value(conf->stapling_responder,
  595.                          prev->stapling_responder, "");

  597.     conf->ssl.log = cf->log;

  599.     if (conf->enable) {

  601.         if (conf->certificate.len == 0) {
  602.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  603.                           "no \"ssl_certificate\" is defined for "
  604.                           "the \"ssl\" directive in %s:%ui",
  605.                           conf->file, conf->line);
  606.             return NGX_CONF_ERROR;
  607.         }

  609.         if (conf->certificate_key.len == 0) {
  610.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  611.                           "no \"ssl_certificate_key\" is defined for "
  612.                           "the \"ssl\" directive in %s:%ui",
  613.                           conf->file, conf->line);
  614.             return NGX_CONF_ERROR;
  615.         }

  617.     } else {

  619.         if (conf->certificate.len == 0) {
  620.             return NGX_CONF_OK;
  621.         }

  623.         if (conf->certificate_key.len == 0) {
  624.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  625.                           "no \"ssl_certificate_key\" is defined "
  626.                           "for certificate \"%V\"", &conf->certificate);
  627.             return NGX_CONF_ERROR;
  628.         }
  629.     }

  631.     if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
  632.         return NGX_CONF_ERROR;
  633.     }

  635. #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

  637.     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
  638.                                                ngx_http_ssl_servername)
  639.         == 0)
  640.     {
  641.         ngx_log_error(NGX_LOG_WARN, cf->log, 0,
  642.             "nginx was built with SNI support, however, now it is linked "
  643.             "dynamically to an OpenSSL library which has no tlsext support, "
  644.             "therefore SNI is not available");
  645.     }

  647. #endif

  649. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  650.     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
  651. #endif

  653. #ifdef TLSEXT_TYPE_next_proto_neg
  654.     SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
  655.                                           ngx_http_ssl_npn_advertised, NULL);
  656. #endif

  658.     cln = ngx_pool_cleanup_add(cf->pool, 0);
  659.     if (cln == NULL) {
  660.         return NGX_CONF_ERROR;
  661.     }

  663.     cln->handler = ngx_ssl_cleanup_ctx;
  664.     cln->data = &conf->ssl;

  666.     if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
  667.                             &conf->certificate_key, conf->passwords)
  668.         != NGX_OK)
  669.     {
  670.         return NGX_CONF_ERROR;
  671.     }

  673.     if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
  674.                                 (const char *) conf->ciphers.data)
  675.         == 0)
  676.     {
  677.         ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
  678.                       "SSL_CTX_set_cipher_list(\"%V\") failed",
  679.                       &conf->ciphers);
  680.         return NGX_CONF_ERROR;
  681.     }

  683.     conf->ssl.buffer_size = conf->buffer_size;

  685.     if (conf->verify) {

  687.         if (conf->client_certificate.len == 0 && conf->verify != 3) {
  688.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  689.                           "no ssl_client_certificate for ssl_client_verify");
  690.             return NGX_CONF_ERROR;
  691.         }

  693.         if (ngx_ssl_client_certificate(cf, &conf->ssl,
  694.                                        &conf->client_certificate,
  695.                                        conf->verify_depth)
  696.             != NGX_OK)
  697.         {
  698.             return NGX_CONF_ERROR;
  699.         }
  700.     }

  702.     if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
  703.                                     &conf->trusted_certificate,
  704.                                     conf->verify_depth)
  705.         != NGX_OK)
  706.     {
  707.         return NGX_CONF_ERROR;
  708.     }

  710.     if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
  711.         return NGX_CONF_ERROR;
  712.     }

  714.     if (conf->prefer_server_ciphers) {
  715.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  716.     }

  718.     /* a temporary 512-bit RSA key is required for export versions of MSIE */
  719.     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);

  721.     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
  722.         return NGX_CONF_ERROR;
  723.     }

  725.     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
  726.         return NGX_CONF_ERROR;
  727.     }

  729.     ngx_conf_merge_value(conf->builtin_session_cache,
  730.                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

  732.     if (conf->shm_zone == NULL) {
  733.         conf->shm_zone = prev->shm_zone;
  734.     }

  736.     if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
  737.                               conf->builtin_session_cache,
  738.                               conf->shm_zone, conf->session_timeout)
  739.         != NGX_OK)
  740.     {
  741.         return NGX_CONF_ERROR;
  742.     }

  744.     ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);

  746. #ifdef SSL_OP_NO_TICKET
  747.     if (!conf->session_tickets) {
  748.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
  749.     }
  750. #endif

  752.     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
  753.                          prev->session_ticket_keys, NULL);

  755.     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
  756.         != NGX_OK)
  757.     {
  758.         return NGX_CONF_ERROR;
  759.     }

  761.     if (conf->stapling) {

  763.         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
  764.                              &conf->stapling_responder, conf->stapling_verify)
  765.             != NGX_OK)
  766.         {
  767.             return NGX_CONF_ERROR;
  768.         }

  770.     }

  772.     return NGX_CONF_OK;
  773. }


  776. static char *
  777. ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  778. {
  779.     ngx_http_ssl_srv_conf_t *sscf = conf;

  781.     char  *rv;

  783.     rv = ngx_conf_set_flag_slot(cf, cmd, conf);

  785.     if (rv != NGX_CONF_OK) {
  786.         return rv;
  787.     }

  789.     sscf->file = cf->conf_file->file.name.data;
  790.     sscf->line = cf->conf_file->line;

  792.     return NGX_CONF_OK;
  793. }


  796. static char *
  797. ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  798. {
  799.     ngx_http_ssl_srv_conf_t *sscf = conf;

  801.     ngx_str_t  *value;

  803.     if (sscf->passwords != NGX_CONF_UNSET_PTR) {
  804.         return "is duplicate";
  805.     }

  807.     value = cf->args->elts;

  809.     sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);

  811.     if (sscf->passwords == NULL) {
  812.         return NGX_CONF_ERROR;
  813.     }

  815.     return NGX_CONF_OK;
  816. }


  819. static char *
  820. ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  821. {
  822.     ngx_http_ssl_srv_conf_t *sscf = conf;

  824.     size_t       len;
  825.     ngx_str_t   *value, name, size;
  826.     ngx_int_t    n;
  827.     ngx_uint_t   i, j;

  829.     value = cf->args->elts;

  831.     for (i = 1; i < cf->args->nelts; i++) {

  833.         if (ngx_strcmp(value[i].data, "off") == 0) {
  834.             sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
  835.             continue;
  836.         }

  838.         if (ngx_strcmp(value[i].data, "none") == 0) {
  839.             sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
  840.             continue;
  841.         }

  843.         if (ngx_strcmp(value[i].data, "builtin") == 0) {
  844.             sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
  845.             continue;
  846.         }

  848.         if (value[i].len > sizeof("builtin:") - 1
  849.             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
  850.                == 0)
  851.         {
  852.             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
  853.                          value[i].len - (sizeof("builtin:") - 1));

  855.             if (n == NGX_ERROR) {
  856.                 goto invalid;
  857.             }

  859.             sscf->builtin_session_cache = n;

  861.             continue;
  862.         }

  864.         if (value[i].len > sizeof("shared:") - 1
  865.             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
  866.                == 0)
  867.         {
  868.             len = 0;

  870.             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
  871.                 if (value[i].data[j] == ':') {
  872.                     break;
  873.                 }

  875.                 len++;
  876.             }

  878.             if (len == 0) {
  879.                 goto invalid;
  880.             }

  882.             name.len = len;
  883.             name.data = value[i].data + sizeof("shared:") - 1;

  885.             size.len = value[i].len - j - 1;
  886.             size.data = name.data + len + 1;

  888.             n = ngx_parse_size(&size);

  890.             if (n == NGX_ERROR) {
  891.                 goto invalid;
  892.             }

  894.             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  895.                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  896.                                    "session cache \"%V\" is too small",
  897.                                    &value[i]);

  899.                 return NGX_CONF_ERROR;
  900.             }

  902.             sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
  903.                                                    &ngx_http_ssl_module);
  904.             if (sscf->shm_zone == NULL) {
  905.                 return NGX_CONF_ERROR;
  906.             }

  908.             sscf->shm_zone->init = ngx_ssl_session_cache_init;

  910.             continue;
  911.         }

  913.         goto invalid;
  914.     }

  916.     if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
  917.         sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
  918.     }

  920.     return NGX_CONF_OK;

  922. invalid:

  924.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  925.                        "invalid session cache \"%V\"", &value[i]);

  927.     return NGX_CONF_ERROR;
  928. }


  931. static ngx_int_t
  932. ngx_http_ssl_init(ngx_conf_t *cf)
  933. {
  934.     ngx_uint_t                   s;
  935.     ngx_http_ssl_srv_conf_t     *sscf;
  936.     ngx_http_core_loc_conf_t    *clcf;
  937.     ngx_http_core_srv_conf_t   **cscfp;
  938.     ngx_http_core_main_conf_t   *cmcf;

  940.     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
  941.     cscfp = cmcf->servers.elts;

  943.     for (s = 0; s < cmcf->servers.nelts; s++) {

  945.         sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];

  947.         if (sscf->ssl.ctx == NULL || !sscf->stapling) {
  948.             continue;
  949.         }

  951.         clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];

  953.         if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
  954.                                       clcf->resolver_timeout)
  955.             != NGX_OK)
  956.         {
  957.             return NGX_ERROR;
  958.         }
  959.     }

  961.     return NGX_OK;
  962. }

One Level Up Top Level