diff options
| author | Igor Sysoev <igor@sysoev.ru> | 2005-10-19 12:33:58 +0000 |
|---|---|---|
| committer | Igor Sysoev <igor@sysoev.ru> | 2005-10-19 12:33:58 +0000 |
| commit | c2068d08f097383b8eac508117e6d405627e6cef (patch) | |
| tree | 06ca21df58481e97289a566f42703102c0b6583c /src/http/modules/ngx_http_ssl_module.c | |
| parent | 8743f92a1acd46c0a4b0df2bf6a80fc1b110affb (diff) | |
| download | nginx-c2068d08f097383b8eac508117e6d405627e6cef.tar.gz nginx-c2068d08f097383b8eac508117e6d405627e6cef.zip | |
nginx-0.3.3-RELEASE importrelease-0.3.3
*) Change: the "bl" and "af" parameters of the "listen" directive was
renamed to the "backlog" and "accept_filter".
*) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
directive.
*) Change: the "$msec" log parameter does not require now the
additional the gettimeofday() system call.
*) Feature: the -t switch now tests the "listen" directives.
*) Bugfix: if the invalid address was specified in the "listen"
directive, then after the -HUP signal nginx left an open socket in
the CLOSED state.
*) Bugfix: the mime type may be incorrectly set to default value for
index file with variable in the name; the bug had appeared in 0.3.0.
*) Feature: the "timer_resolution" directive.
*) Feature: the millisecond "$upstream_response_time" log parameter.
*) Bugfix: a temporary file with client request body now is removed
just after the response header was transferred to a client.
*) Bugfix: OpenSSL 0.9.6 compatibility.
*) Bugfix: the SSL certificate and key file paths could not be relative.
*) Bugfix: the "ssl_prefer_server_ciphers" directive did not work in
the ngx_imap_ssl_module.
*) Bugfix: the "ssl_protocols" directive allowed to specify the single
protocol only.
Diffstat (limited to 'src/http/modules/ngx_http_ssl_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 53 |
1 files changed, 46 insertions, 7 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index bb9a55f49..09bf63dcf 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -17,6 +17,15 @@ static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child); +#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) + +static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + +static char ngx_http_ssl_openssl097[] = "OpenSSL 0.9.7 and higher"; + +#endif + static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, @@ -26,6 +35,7 @@ static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { }; + static ngx_command_t ngx_http_ssl_commands[] = { { ngx_string("ssl"), @@ -50,14 +60,14 @@ static ngx_command_t ngx_http_ssl_commands[] = { NULL }, { ngx_string("ssl_protocols"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, ngx_conf_set_bitmask_slot, NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, protocols), &ngx_http_ssl_protocols }, { ngx_string("ssl_ciphers"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, ciphers), @@ -65,10 +75,14 @@ static ngx_command_t ngx_http_ssl_commands[] = { { ngx_string("ssl_prefer_server_ciphers"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE ngx_conf_set_flag_slot, NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), NULL }, +#else + ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, +#endif ngx_null_command }; @@ -144,6 +158,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_http_ssl_srv_conf_t *prev = parent; ngx_http_ssl_srv_conf_t *conf = child; + ngx_pool_cleanup_t *cln; + ngx_conf_merge_value(conf->enable, prev->enable, 0); if (conf->enable == 0) { @@ -172,29 +188,37 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } - if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL) - { + cln = ngx_pool_cleanup_add(cf->pool, 0); + if (cln == NULL) { return NGX_CONF_ERROR; } - if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data, - conf->certificate_key.data) != NGX_OK) + cln->handler = ngx_ssl_cleanup_ctx; + cln->data = &conf->ssl; + + if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, + &conf->certificate_key) != NGX_OK) { return NGX_CONF_ERROR; } if (SSL_CTX_set_cipher_list(conf->ssl.ctx, - (const char *) conf->ciphers.data) == 0) + (const char *) conf->ciphers.data) + == 0) { ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_set_cipher_list(\"%V\") failed", &conf->ciphers); } +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (conf->prefer_server_ciphers) { SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } +#endif + /* a temporary 512-bit RSA key is required for export versions of MSIE */ if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { return NGX_CONF_ERROR; @@ -207,3 +231,18 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_OK; } + + +#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) + +static char * +ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "\"%V\" directive is available only in %s,", + &cmd->name, cmd->post); + + return NGX_CONF_ERROR; +} + +#endif |