aboutsummaryrefslogtreecommitdiff
path: root/src/imap
diff options
context:
space:
mode:
Diffstat (limited to 'src/imap')
-rw-r--r--src/imap/ngx_imap_auth_http_module.c87
-rw-r--r--src/imap/ngx_imap_handler.c104
-rw-r--r--src/imap/ngx_imap_proxy_module.c25
-rw-r--r--src/imap/ngx_imap_ssl_module.c86
-rw-r--r--src/imap/ngx_imap_ssl_module.h8
5 files changed, 192 insertions, 118 deletions
diff --git a/src/imap/ngx_imap_auth_http_module.c b/src/imap/ngx_imap_auth_http_module.c
index 616222755..571cd270d 100644
--- a/src/imap/ngx_imap_auth_http_module.c
+++ b/src/imap/ngx_imap_auth_http_module.c
@@ -45,9 +45,9 @@ struct ngx_imap_auth_http_ctx_s {
ngx_str_t port;
ngx_str_t err;
- ngx_msec_t sleep;
+ time_t sleep;
- ngx_peers_t *peers;
+ ngx_pool_t *pool;
};
@@ -63,7 +63,7 @@ static ngx_int_t ngx_imap_auth_http_parse_header_line(ngx_imap_session_t *s,
static void ngx_imap_auth_http_block_read(ngx_event_t *rev);
static void ngx_imap_auth_http_dummy_handler(ngx_event_t *ev);
static ngx_buf_t *ngx_imap_auth_http_create_request(ngx_imap_session_t *s,
- ngx_imap_auth_http_conf_t *ahcf);
+ ngx_pool_t *pool, ngx_imap_auth_http_conf_t *ahcf);
static void *ngx_imap_auth_http_create_conf(ngx_conf_t *cf);
static char *ngx_imap_auth_http_merge_conf(ngx_conf_t *cf, void *parent,
@@ -123,21 +123,32 @@ void
ngx_imap_auth_http_init(ngx_imap_session_t *s)
{
ngx_int_t rc;
+ ngx_pool_t *pool;
ngx_imap_auth_http_ctx_t *ctx;
ngx_imap_auth_http_conf_t *ahcf;
s->connection->log->action = "in http auth state";
- ctx = ngx_pcalloc(s->connection->pool, sizeof(ngx_imap_auth_http_ctx_t));
+ pool = ngx_create_pool(2048, s->connection->log);
+ if (pool == NULL) {
+ ngx_imap_session_internal_server_error(s);
+ return;
+ }
+
+ ctx = ngx_pcalloc(pool, sizeof(ngx_imap_auth_http_ctx_t));
if (ctx == NULL) {
+ ngx_destroy_pool(pool);
ngx_imap_session_internal_server_error(s);
return;
}
+ ctx->pool = pool;
+
ahcf = ngx_imap_get_module_srv_conf(s, ngx_imap_auth_http_module);
- ctx->request = ngx_imap_auth_http_create_request(s, ahcf);
+ ctx->request = ngx_imap_auth_http_create_request(s, pool, ahcf);
if (ctx->request == NULL) {
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -152,6 +163,7 @@ ngx_imap_auth_http_init(ngx_imap_session_t *s)
if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) {
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -197,6 +209,7 @@ ngx_imap_auth_http_write_handler(ngx_event_t *wev)
"auth http server %V timed out",
&ctx->peer.peers->peer[0].name);
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -207,6 +220,7 @@ ngx_imap_auth_http_write_handler(ngx_event_t *wev)
if (n == NGX_ERROR) {
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -253,14 +267,16 @@ ngx_imap_auth_http_read_handler(ngx_event_t *rev)
"auth http server %V timed out",
&ctx->peer.peers->peer[0].name);
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
if (ctx->response == NULL) {
- ctx->response = ngx_create_temp_buf(s->connection->pool, 1024);
+ ctx->response = ngx_create_temp_buf(ctx->pool, 1024);
if (ctx->response == NULL) {
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -282,6 +298,7 @@ ngx_imap_auth_http_read_handler(ngx_event_t *rev)
}
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
}
@@ -369,6 +386,7 @@ ngx_imap_auth_http_ignore_status_line(ngx_imap_session_t *s,
"auth http server &V sent invalid response",
&ctx->peer.peers->peer[0].name);
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -397,8 +415,10 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
ngx_imap_auth_http_ctx_t *ctx)
{
u_char *p;
+ time_t timer;
size_t len, size;
ngx_int_t rc, port, n;
+ ngx_peers_t *peers;
struct sockaddr_in *sin;
ngx_log_debug0(NGX_LOG_DEBUG_IMAP, s->connection->log, 0,
@@ -450,6 +470,7 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
p = ngx_pcalloc(s->connection->pool, size);
if (p == NULL) {
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -530,16 +551,20 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
if (ctx->err.len) {
s->out = ctx->err;
+ timer = ctx->sleep;
- if (ctx->sleep == 0) {
- s->quit = 1;
+ ngx_destroy_pool(ctx->pool);
- ngx_imap_send(s->connection->write);
+ ngx_log_error(NGX_LOG_INFO, s->connection->log, 0,
+ "client login failed");
+ if (timer == 0) {
+ s->quit = 1;
+ ngx_imap_send(s->connection->write);
return;
}
- ngx_add_timer(s->connection->read, ctx->sleep * 1000);
+ ngx_add_timer(s->connection->read, timer * 1000);
s->connection->read->handler = ngx_imap_auth_sleep_handler;
@@ -550,18 +575,21 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
"auth http server %V did not send server or port",
&ctx->peer.peers->peer[0].name);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
- ctx->peers = ngx_pcalloc(s->connection->pool, sizeof(ngx_peers_t));
- if (ctx->peers == NULL) {
+ peers = ngx_pcalloc(s->connection->pool, sizeof(ngx_peers_t));
+ if (peers == NULL) {
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
sin = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_in));
if (sin == NULL) {
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -574,6 +602,7 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
"auth http server %V sent invalid server "
"port:\"%V\"",
&ctx->peer.peers->peer[0].name, &ctx->port);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
@@ -587,38 +616,40 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
"auth http server %V sent invalid server "
"address:\"%V\"",
&ctx->peer.peers->peer[0].name, &ctx->addr);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
- ctx->peers->number = 1;
+ peers->number = 1;
- ctx->peers->peer[0].sockaddr = (struct sockaddr *) sin;
- ctx->peers->peer[0].socklen = sizeof(struct sockaddr_in);
+ peers->peer[0].sockaddr = (struct sockaddr *) sin;
+ peers->peer[0].socklen = sizeof(struct sockaddr_in);
len = ctx->addr.len + 1 + ctx->port.len;
- ctx->peers->peer[0].name.len = len;
+ peers->peer[0].name.len = len;
- ctx->peers->peer[0].name.data = ngx_palloc(s->connection->pool,
- len);
- if (ctx->peers->peer[0].name.data == NULL) {
+ peers->peer[0].name.data = ngx_palloc(s->connection->pool, len);
+ if (peers->peer[0].name.data == NULL) {
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
}
len = ctx->addr.len;
- ngx_memcpy(ctx->peers->peer[0].name.data, ctx->addr.data, len);
+ ngx_memcpy(peers->peer[0].name.data, ctx->addr.data, len);
- ctx->peers->peer[0].name.data[len++] = ':';
+ peers->peer[0].name.data[len++] = ':';
- ngx_memcpy(ctx->peers->peer[0].name.data + len,
+ ngx_memcpy(peers->peer[0].name.data + len,
ctx->port.data, ctx->port.len);
- ctx->peers->peer[0].uri_separator = "";
+ peers->peer[0].uri_separator = "";
- ngx_imap_proxy_init(s, ctx->peers);
+ ngx_destroy_pool(ctx->pool);
+ ngx_imap_proxy_init(s, peers);
return;
}
@@ -633,6 +664,7 @@ ngx_imap_auth_http_process_headers(ngx_imap_session_t *s,
"auth http server %V sent invalid header in response",
&ctx->peer.peers->peer[0].name);
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
return;
@@ -906,6 +938,7 @@ ngx_imap_auth_http_block_read(ngx_event_t *rev)
ctx = ngx_imap_get_module_ctx(s, ngx_imap_auth_http_module);
ngx_close_connection(ctx->peer.connection);
+ ngx_destroy_pool(ctx->pool);
ngx_imap_session_internal_server_error(s);
}
}
@@ -920,7 +953,7 @@ ngx_imap_auth_http_dummy_handler(ngx_event_t *ev)
static ngx_buf_t *
-ngx_imap_auth_http_create_request(ngx_imap_session_t *s,
+ngx_imap_auth_http_create_request(ngx_imap_session_t *s, ngx_pool_t *pool,
ngx_imap_auth_http_conf_t *ahcf)
{
size_t len;
@@ -938,7 +971,7 @@ ngx_imap_auth_http_create_request(ngx_imap_session_t *s,
+ sizeof(CRLF) - 1
+ sizeof(CRLF) - 1;
- b = ngx_create_temp_buf(s->connection->pool, len);
+ b = ngx_create_temp_buf(pool, len);
if (b == NULL) {
return NULL;
}
@@ -981,7 +1014,7 @@ ngx_imap_auth_http_create_request(ngx_imap_session_t *s,
/* add "\r\n" at the header end */
*b->last++ = CR; *b->last++ = LF;
-#if (NGX_DEBUG)
+#if (NGX_DEBUG_IMAP_PASSWD)
{
ngx_str_t l;
diff --git a/src/imap/ngx_imap_handler.c b/src/imap/ngx_imap_handler.c
index 6497ced0b..4fe124871 100644
--- a/src/imap/ngx_imap_handler.c
+++ b/src/imap/ngx_imap_handler.c
@@ -10,12 +10,13 @@
#include <ngx_imap.h>
-static void ngx_imap_init_session(ngx_event_t *rev);
+static void ngx_imap_init_session(ngx_connection_t *c);
static void ngx_imap_init_protocol(ngx_event_t *rev);
static ngx_int_t ngx_imap_read_command(ngx_imap_session_t *s);
static u_char *ngx_imap_log_error(ngx_log_t *log, u_char *buf, size_t len);
#if (NGX_IMAP_SSL)
+static void ngx_imap_ssl_handshake_handler(ngx_connection_t *c);
static void ngx_imap_ssl_close_handler(ngx_event_t *ev);
#endif
@@ -43,13 +44,15 @@ static u_char imap_invalid_command[] = "BAD invalid command" CRLF;
void
ngx_imap_init_connection(ngx_connection_t *c)
{
- ngx_imap_log_ctx_t *lctx;
+ ngx_imap_log_ctx_t *lctx;
#if (NGX_IMAP_SSL)
- ngx_imap_conf_ctx_t *ctx;
- ngx_imap_ssl_conf_t *sslcf;
+ ngx_imap_conf_ctx_t *ctx;
+ ngx_imap_ssl_conf_t *sslcf;
+ ngx_imap_core_srv_conf_t *cscf;
#endif
- ngx_log_debug0(NGX_LOG_DEBUG_IMAP, c->log, 0, "imap init connection");
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%ui client %V connected to %V",
+ c->number, &c->addr_text, &c->listening->addr_text);
lctx = ngx_palloc(c->pool, sizeof(ngx_imap_log_ctx_t));
if (lctx == NULL) {
@@ -73,63 +76,59 @@ ngx_imap_init_connection(ngx_connection_t *c)
sslcf = ngx_imap_get_module_srv_conf(ctx, ngx_imap_ssl_module);
if (sslcf->enable) {
- if (ngx_ssl_create_connection(sslcf->ssl_ctx, c, 0) == NGX_ERROR) {
+ if (ngx_ssl_create_connection(&sslcf->ssl, c, 0) == NGX_ERROR) {
ngx_imap_close_connection(c);
return;
}
- c->recv = ngx_ssl_recv;
- c->send = ngx_ssl_write;
- c->send_chain = ngx_ssl_send_chain;
- }
+ if (ngx_ssl_handshake(c) == NGX_AGAIN) {
-#endif
+ cscf = ngx_imap_get_module_srv_conf(ctx, ngx_imap_core_module);
- ngx_imap_init_session(c->read);
-}
+ ngx_add_timer(c->read, cscf->timeout);
+ c->ssl->handler = ngx_imap_ssl_handshake_handler;
-static void
-ngx_imap_init_session(ngx_event_t *rev)
-{
- ngx_connection_t *c;
- ngx_imap_session_t *s;
- ngx_imap_log_ctx_t *lctx;
- ngx_imap_conf_ctx_t *ctx;
- ngx_imap_core_srv_conf_t *cscf;
-#if (NGX_IMAP_SSL)
- ngx_int_t rc;
-#endif
+ return;
+ }
- c = rev->data;
- ctx = c->ctx;
- cscf = ngx_imap_get_module_srv_conf(ctx, ngx_imap_core_module);
+ ngx_imap_ssl_handshake_handler(c);
+ return;
+ }
-#if (NGX_IMAP_SSL)
+#endif
- if (c->ssl) {
+ ngx_imap_init_session(c);
+}
- rc = ngx_ssl_handshake(c);
- if (rc == NGX_ERROR) {
- ngx_imap_close_connection(c);
- return;
- }
+#if (NGX_IMAP_SSL)
- if (rc == NGX_AGAIN) {
- ngx_add_timer(rev, cscf->timeout);
- c->read->handler = ngx_imap_init_session;
+static void
+ngx_imap_ssl_handshake_handler(ngx_connection_t *c)
+{
+ if (c->ssl->handshaked) {
+ ngx_imap_init_session(c);
+ return;
+ }
- if (ngx_handle_read_event(rev, 0) == NGX_ERROR) {
- ngx_imap_close_connection(c);
- }
+ ngx_imap_close_connection(c);
+ return;
+}
- return;
- }
+#endif
- }
-#endif
+static void
+ngx_imap_init_session(ngx_connection_t *c)
+{
+ ngx_imap_session_t *s;
+ ngx_imap_log_ctx_t *lctx;
+ ngx_imap_conf_ctx_t *ctx;
+ ngx_imap_core_srv_conf_t *cscf;
+
+ c->read->handler = ngx_imap_init_protocol;
+ c->write->handler = ngx_imap_send;
s = ngx_pcalloc(c->pool, sizeof(ngx_imap_session_t));
if (s == NULL) {
@@ -137,6 +136,9 @@ ngx_imap_init_session(ngx_event_t *rev)
return;
}
+ ctx = c->ctx;
+ cscf = ngx_imap_get_module_srv_conf(ctx, ngx_imap_core_module);
+
c->data = s;
s->connection = c;
@@ -156,12 +158,9 @@ ngx_imap_init_session(ngx_event_t *rev)
lctx = c->log->data;
lctx->session = s;
- c->read->handler = ngx_imap_init_protocol;
- c->write->handler = ngx_imap_send;
+ ngx_add_timer(c->read, cscf->timeout);
- ngx_add_timer(rev, cscf->timeout);
-
- if (ngx_handle_read_event(rev, 0) == NGX_ERROR) {
+ if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) {
ngx_imap_close_connection(c);
}
@@ -378,9 +377,14 @@ ngx_imap_auth_state(ngx_event_t *rev)
ngx_memcpy(s->passwd.data, arg[1].data, s->passwd.len);
+#if (NGX_DEBUG_IMAP_PASSWD)
ngx_log_debug2(NGX_LOG_DEBUG_IMAP, c->log, 0,
"imap login:\"%V\" passwd:\"%V\"",
&s->login, &s->passwd);
+#else
+ ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0,
+ "imap login:\"%V\"", &s->login);
+#endif
s->args.nelts = 0;
s->buffer->pos = s->buffer->start;
@@ -584,8 +588,10 @@ ngx_pop3_auth_state(ngx_event_t *rev)
ngx_memcpy(s->passwd.data, arg[0].data, s->passwd.len);
+#if (NGX_DEBUG_IMAP_PASSWD)
ngx_log_debug1(NGX_LOG_DEBUG_IMAP, c->log, 0,
"pop3 passwd: \"%V\"", &s->passwd);
+#endif
s->args.nelts = 0;
s->buffer->pos = s->buffer->start;
diff --git a/src/imap/ngx_imap_proxy_module.c b/src/imap/ngx_imap_proxy_module.c
index 86a4ff8a9..bfbcc1cbe 100644
--- a/src/imap/ngx_imap_proxy_module.c
+++ b/src/imap/ngx_imap_proxy_module.c
@@ -156,6 +156,7 @@ ngx_imap_proxy_block_read(ngx_event_t *rev)
static void
ngx_imap_proxy_imap_handler(ngx_event_t *rev)
{
+ char *action;
u_char *p;
ngx_int_t rc;
ngx_str_t line;
@@ -293,6 +294,11 @@ ngx_imap_proxy_imap_handler(ngx_event_t *rev)
ngx_add_timer(s->connection->read, pcf->timeout);
ngx_del_timer(c->read);
+ action = c->log->action;
+ c->log->action = NULL;
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "client logged in");
+ c->log->action = action;
+
c->log->action = "proxying";
}
}
@@ -301,6 +307,7 @@ ngx_imap_proxy_imap_handler(ngx_event_t *rev)
static void
ngx_imap_proxy_pop3_handler(ngx_event_t *rev)
{
+ char *action;
u_char *p;
ngx_int_t rc;
ngx_str_t line;
@@ -418,6 +425,11 @@ ngx_imap_proxy_pop3_handler(ngx_event_t *rev)
ngx_add_timer(s->connection->read, pcf->timeout);
ngx_del_timer(c->read);
+ action = c->log->action;
+ c->log->action = NULL;
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "client logged in");
+ c->log->action = action;
+
c->log->action = "proxying";
}
}
@@ -507,6 +519,7 @@ ngx_imap_proxy_read_response(ngx_imap_session_t *s, ngx_uint_t what)
static void
ngx_imap_proxy_handler(ngx_event_t *ev)
{
+ char *action;
size_t size;
ssize_t n;
ngx_buf_t *b;
@@ -603,7 +616,17 @@ ngx_imap_proxy_handler(ngx_event_t *ev)
if (size && src->read->ready) {
n = src->recv(src, b->last, size);
- if (n == NGX_ERROR || n == 0) {
+ if (n == NGX_ERROR) {
+ ngx_imap_proxy_close_session(s);
+ return;
+ }
+
+ if (n == 0) {
+ action = c->log->action;
+ c->log->action = NULL;
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "proxied session done");
+ c->log->action = action;
+
ngx_imap_proxy_close_session(s);
return;
}
diff --git a/src/imap/ngx_imap_ssl_module.c b/src/imap/ngx_imap_ssl_module.c
index bd4579e68..be6fca93b 100644
--- a/src/imap/ngx_imap_ssl_module.c
+++ b/src/imap/ngx_imap_ssl_module.c
@@ -11,12 +11,21 @@
#define NGX_DEFLAUT_CERTIFICATE "cert.pem"
#define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem"
+#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf);
static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
+static ngx_conf_bitmask_t ngx_imap_ssl_protocols[] = {
+ { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
+ { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
+ { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_command_t ngx_imap_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -40,6 +49,13 @@ static ngx_command_t ngx_imap_ssl_commands[] = {
offsetof(ngx_imap_ssl_conf_t, certificate_key),
NULL },
+ { ngx_string("ssl_protocols"),
+ NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_bitmask_slot,
+ NGX_IMAP_SRV_CONF_OFFSET,
+ offsetof(ngx_imap_ssl_conf_t, protocols),
+ &ngx_imap_ssl_protocols },
+
{ ngx_string("ssl_ciphers"),
NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -47,6 +63,13 @@ static ngx_command_t ngx_imap_ssl_commands[] = {
offsetof(ngx_imap_ssl_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_prefer_server_ciphers"),
+ NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_IMAP_SRV_CONF_OFFSET,
+ offsetof(ngx_imap_ssl_conf_t, prefer_server_ciphers),
+ NULL },
+
ngx_null_command
};
@@ -92,6 +115,8 @@ ngx_imap_ssl_create_conf(ngx_conf_t *cf)
/*
* set by ngx_pcalloc():
*
+ * scf->protocols = 0;
+ *
* scf->certificate.len = 0;
* scf->certificate.data = NULL;
* scf->certificate_key.len = 0;
@@ -101,6 +126,7 @@ ngx_imap_ssl_create_conf(ngx_conf_t *cf)
*/
scf->enable = NGX_CONF_UNSET;
+ scf->prefer_server_ciphers = NGX_CONF_UNSET;
return scf;
}
@@ -118,39 +144,41 @@ ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_OK;
}
+ ngx_conf_merge_value(conf->prefer_server_ciphers,
+ prev->prefer_server_ciphers, 0);
+
+ ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+ (NGX_CONF_BITMASK_SET
+ |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+
ngx_conf_merge_str_value(conf->certificate, prev->certificate,
NGX_DEFLAUT_CERTIFICATE);
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY);
- ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, "");
+ ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
- /* TODO: configure methods */
+ conf->ssl.log = cf->log;
- conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-
- if (conf->ssl_ctx == NULL) {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed");
+ if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx)
- == NULL)
+ if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL)
{
return NGX_CONF_ERROR;
}
-
-#if 0
- SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL);
- SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_NO_SSLv3);
- SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_SINGLE_DH_USE);
-#endif
+ if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data,
+ conf->certificate_key.data) != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
if (conf->ciphers.len) {
- if (SSL_CTX_set_cipher_list(conf->ssl_ctx,
+ if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
(const char *) conf->ciphers.data) == 0)
{
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
@@ -159,35 +187,13 @@ ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
}
}
- if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx,
- (char *) conf->certificate.data) == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
- conf->certificate.data);
- return NGX_CONF_ERROR;
- }
-
-
- if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx,
- (char *) conf->certificate_key.data,
- SSL_FILETYPE_PEM) == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_use_PrivateKey_file(\"%s\") failed",
- conf->certificate_key.data);
+ if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
- SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL);
-
- SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-
- SSL_CTX_set_read_ahead(conf->ssl_ctx, 1);
-
- SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER);
+ SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER);
- SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_imap_session_id_ctx,
+ SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_imap_session_id_ctx,
sizeof(ngx_imap_session_id_ctx) - 1);
return NGX_CONF_OK;
diff --git a/src/imap/ngx_imap_ssl_module.h b/src/imap/ngx_imap_ssl_module.h
index 150a61755..fd0ccada4 100644
--- a/src/imap/ngx_imap_ssl_module.h
+++ b/src/imap/ngx_imap_ssl_module.h
@@ -15,12 +15,18 @@
typedef struct {
ngx_flag_t enable;
+
+ ngx_ssl_t ssl;
+
+ ngx_flag_t prefer_server_ciphers;
+
+ ngx_uint_t protocols;
+
ngx_str_t certificate;
ngx_str_t certificate_key;
ngx_str_t ciphers;
- ngx_ssl_ctx_t *ssl_ctx;
} ngx_imap_ssl_conf_t;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-17 05:27:15 +0000