ngx_int_t
ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
- ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords)
+ ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
+ ngx_array_t *passwords)
{
char *err;
X509 *x509;
EVP_PKEY *pkey;
STACK_OF(X509) *chain;
- chain = ngx_ssl_cache_connection_fetch(pool, NGX_SSL_CACHE_CERT, &err,
- cert, NULL);
+ chain = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_CERT,
+ &err, cert, NULL);
if (chain == NULL) {
if (err != NULL) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
#endif
- pkey = ngx_ssl_cache_connection_fetch(pool, NGX_SSL_CACHE_PKEY, &err,
- key, passwords);
+ pkey = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_PKEY,
+ &err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
#endif
-typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
+typedef struct ngx_ssl_cache_s ngx_ssl_cache_t;
+typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
struct ngx_ssl_s {
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
- ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
+ ngx_array_t *passwords);
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
+ngx_ssl_cache_t *ngx_ssl_cache_init(ngx_pool_t *pool, ngx_uint_t max,
+ time_t valid, time_t inactive);
void *ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
ngx_str_t *path, void *data);
-void *ngx_ssl_cache_connection_fetch(ngx_pool_t *pool, ngx_uint_t index,
- char **err, ngx_str_t *path, void *data);
+void *ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
+ ngx_uint_t index, char **err, ngx_str_t *path, void *data);
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
typedef struct {
ngx_rbtree_node_t node;
+ ngx_queue_t queue;
ngx_ssl_cache_key_t id;
ngx_ssl_cache_type_t *type;
void *value;
+ time_t created;
+ time_t accessed;
+
time_t mtime;
ngx_file_uniq_t uniq;
} ngx_ssl_cache_node_t;
-typedef struct {
+struct ngx_ssl_cache_s {
ngx_rbtree_t rbtree;
ngx_rbtree_node_t sentinel;
+ ngx_queue_t expire_queue;
ngx_flag_t inheritable;
-} ngx_ssl_cache_t;
+
+ ngx_uint_t current;
+ ngx_uint_t max;
+ time_t valid;
+ time_t inactive;
+};
typedef struct {
ngx_str_t *path, ngx_ssl_cache_key_t *id);
static ngx_ssl_cache_node_t *ngx_ssl_cache_lookup(ngx_ssl_cache_t *cache,
ngx_ssl_cache_type_t *type, ngx_ssl_cache_key_t *id, uint32_t hash);
+static void ngx_ssl_cache_expire(ngx_ssl_cache_t *cache, ngx_uint_t n,
+ ngx_log_t *log);
static void *ngx_ssl_cache_cert_create(ngx_ssl_cache_key_t *id, char **err,
void *data);
static void ngx_ssl_cache_cleanup(void *data);
static void ngx_ssl_cache_node_insert(ngx_rbtree_node_t *temp,
ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
+static void ngx_ssl_cache_node_free(ngx_rbtree_t *rbtree,
+ ngx_ssl_cache_node_t *cn);
static ngx_command_t ngx_openssl_cache_commands[] = {
ngx_cpystrn(cn->id.data, id.data, id.len + 1);
+ ngx_queue_init(&cn->queue);
+
ngx_rbtree_insert(&cache->rbtree, &cn->node);
return type->ref(err, cn->value);
void *
-ngx_ssl_cache_connection_fetch(ngx_pool_t *pool, ngx_uint_t index, char **err,
- ngx_str_t *path, void *data)
+ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
+ ngx_uint_t index, char **err, ngx_str_t *path, void *data)
{
- ngx_ssl_cache_key_t id;
+ void *value;
+ time_t now;
+ uint32_t hash;
+ ngx_ssl_cache_key_t id;
+ ngx_ssl_cache_type_t *type;
+ ngx_ssl_cache_node_t *cn;
*err = NULL;
return NULL;
}
- return ngx_ssl_cache_types[index].create(&id, err, &data);
+ type = &ngx_ssl_cache_types[index];
+
+ if (cache == NULL) {
+ return type->create(&id, err, &data);
+ }
+
+ now = ngx_time();
+
+ hash = ngx_murmur_hash2(id.data, id.len);
+
+ cn = ngx_ssl_cache_lookup(cache, type, &id, hash);
+
+ if (cn != NULL) {
+ ngx_queue_remove(&cn->queue);
+
+ if (id.type == NGX_SSL_CACHE_DATA) {
+ goto found;
+ }
+
+ if (now - cn->created > cache->valid) {
+ ngx_log_debug1(NGX_LOG_DEBUG_CORE, pool->log, 0,
+ "update cached ssl object: %s", cn->id.data);
+
+ type->free(cn->value);
+
+ value = type->create(&id, err, &data);
+
+ if (value == NULL || data == NGX_SSL_CACHE_DISABLED) {
+ ngx_rbtree_delete(&cache->rbtree, &cn->node);
+
+ cache->current--;
+
+ ngx_free(cn);
+
+ return value;
+ }
+
+ cn->value = value;
+ cn->created = now;
+ }
+
+ goto found;
+ }
+
+ value = type->create(&id, err, &data);
+
+ if (value == NULL || data == NGX_SSL_CACHE_DISABLED) {
+ return value;
+ }
+
+ cn = ngx_alloc(sizeof(ngx_ssl_cache_node_t) + id.len + 1, pool->log);
+ if (cn == NULL) {
+ type->free(value);
+ return NULL;
+ }
+
+ cn->node.key = hash;
+ cn->id.data = (u_char *)(cn + 1);
+ cn->id.len = id.len;
+ cn->id.type = id.type;
+ cn->type = type;
+ cn->value = value;
+ cn->created = now;
+
+ ngx_cpystrn(cn->id.data, id.data, id.len + 1);
+
+ ngx_ssl_cache_expire(cache, 1, pool->log);
+
+ if (cache->current >= cache->max) {
+ ngx_ssl_cache_expire(cache, 0, pool->log);
+ }
+
+ ngx_rbtree_insert(&cache->rbtree, &cn->node);
+
+ cache->current++;
+
+found:
+
+ cn->accessed = now;
+
+ ngx_queue_insert_head(&cache->expire_queue, &cn->queue);
+
+ return type->ref(err, cn->value);
}
}
+static void
+ngx_ssl_cache_expire(ngx_ssl_cache_t *cache, ngx_uint_t n,
+ ngx_log_t *log)
+{
+ time_t now;
+ ngx_queue_t *q;
+ ngx_ssl_cache_node_t *cn;
+
+ now = ngx_time();
+
+ while (n < 3) {
+
+ if (ngx_queue_empty(&cache->expire_queue)) {
+ return;
+ }
+
+ q = ngx_queue_last(&cache->expire_queue);
+
+ cn = ngx_queue_data(q, ngx_ssl_cache_node_t, queue);
+
+ if (n++ != 0 && now - cn->accessed <= cache->inactive) {
+ return;
+ }
+
+ ngx_ssl_cache_node_free(&cache->rbtree, cn);
+
+ cache->current--;
+ }
+}
+
+
static void *
ngx_ssl_cache_cert_create(ngx_ssl_cache_key_t *id, char **err, void *data)
{
static void *
ngx_openssl_cache_create_conf(ngx_cycle_t *cycle)
{
- ngx_ssl_cache_t *cache;
- ngx_pool_cleanup_t *cln;
+ ngx_ssl_cache_t *cache;
- cache = ngx_pcalloc(cycle->pool, sizeof(ngx_ssl_cache_t));
+ cache = ngx_ssl_cache_init(cycle->pool, 0, 0, 0);
if (cache == NULL) {
return NULL;
}
cache->inheritable = NGX_CONF_UNSET;
- cln = ngx_pool_cleanup_add(cycle->pool, 0);
- if (cln == NULL) {
- return NULL;
- }
-
- cln->handler = ngx_ssl_cache_cleanup;
- cln->data = cache;
-
- ngx_rbtree_init(&cache->rbtree, &cache->sentinel,
- ngx_ssl_cache_node_insert);
-
return cache;
}
}
+ngx_ssl_cache_t *
+ngx_ssl_cache_init(ngx_pool_t *pool, ngx_uint_t max, time_t valid,
+ time_t inactive)
+{
+ ngx_ssl_cache_t *cache;
+ ngx_pool_cleanup_t *cln;
+
+ cache = ngx_pcalloc(pool, sizeof(ngx_ssl_cache_t));
+ if (cache == NULL) {
+ return NULL;
+ }
+
+ ngx_rbtree_init(&cache->rbtree, &cache->sentinel,
+ ngx_ssl_cache_node_insert);
+
+ ngx_queue_init(&cache->expire_queue);
+
+ cache->max = max;
+ cache->valid = valid;
+ cache->inactive = inactive;
+
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_cache_cleanup;
+ cln->data = cache;
+
+ return cache;
+}
+
+
static void
ngx_ssl_cache_cleanup(void *data)
{
return;
}
- for (node = ngx_rbtree_min(tree->root, tree->sentinel);
- node;
- node = ngx_rbtree_next(tree, node))
- {
+ node = ngx_rbtree_min(tree->root, tree->sentinel);
+
+ while (node != NULL) {
cn = ngx_rbtree_data(node, ngx_ssl_cache_node_t, node);
- cn->type->free(cn->value);
+ node = ngx_rbtree_next(tree, node);
+
+ ngx_ssl_cache_node_free(tree, cn);
+
+ if (cache->max) {
+ cache->current--;
+ }
+ }
+
+ if (cache->current) {
+ ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
+ "%ui items still left in ssl cache",
+ cache->current);
+ }
+
+ if (!ngx_queue_empty(&cache->expire_queue)) {
+ ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
+ "queue still is not empty in ssl cache");
+
+ }
+}
+
+
+static void
+ngx_ssl_cache_node_free(ngx_rbtree_t *rbtree, ngx_ssl_cache_node_t *cn)
+{
+ cn->type->free(cn->value);
+
+ ngx_rbtree_delete(rbtree, &cn->node);
+
+ if (!ngx_queue_empty(&cn->queue)) {
+ ngx_queue_remove(&cn->queue);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_CORE, ngx_cycle->log, 0,
+ "delete cached ssl object: %s", cn->id.data);
+
+ ngx_free(cn);
}
}
static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
ngx_http_ssl_srv_conf_t *conf);
+static char *ngx_http_ssl_certificate_cache(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
NULL },
+ { ngx_string("ssl_certificate_cache"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE123,
+ ngx_http_ssl_certificate_cache,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ 0,
+ NULL },
+
{ ngx_string("ssl_password_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_http_ssl_password_file,
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
+ sscf->certificate_cache = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->conf_commands = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET;
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
+ NULL);
+
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
}
+static char *
+ngx_http_ssl_certificate_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_http_ssl_srv_conf_t *sscf = conf;
+
+ time_t inactive, valid;
+ ngx_str_t *value, s;
+ ngx_int_t max;
+ ngx_uint_t i;
+
+ if (sscf->certificate_cache != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ max = 0;
+ inactive = 10;
+ valid = 60;
+
+ for (i = 1; i < cf->args->nelts; i++) {
+
+ if (ngx_strncmp(value[i].data, "max=", 4) == 0) {
+
+ max = ngx_atoi(value[i].data + 4, value[i].len - 4);
+ if (max <= 0) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strncmp(value[i].data, "inactive=", 9) == 0) {
+
+ s.len = value[i].len - 9;
+ s.data = value[i].data + 9;
+
+ inactive = ngx_parse_time(&s, 1);
+ if (inactive == (time_t) NGX_ERROR) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strncmp(value[i].data, "valid=", 6) == 0) {
+
+ s.len = value[i].len - 6;
+ s.data = value[i].data + 6;
+
+ valid = ngx_parse_time(&s, 1);
+ if (valid == (time_t) NGX_ERROR) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strcmp(value[i].data, "off") == 0) {
+
+ sscf->certificate_cache = NULL;
+
+ continue;
+ }
+
+ failed:
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid parameter \"%V\"", &value[i]);
+ return NGX_CONF_ERROR;
+ }
+
+ if (sscf->certificate_cache == NULL) {
+ return NGX_CONF_OK;
+ }
+
+ if (max == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "\"ssl_certificate_cache\" must have "
+ "the \"max\" parameter");
+ return NGX_CONF_ERROR;
+ }
+
+ sscf->certificate_cache = ngx_ssl_cache_init(cf->pool, max, valid,
+ inactive);
+ if (sscf->certificate_cache == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
static char *
ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_array_t *certificate_values;
ngx_array_t *certificate_key_values;
+ ngx_ssl_cache_t *certificate_cache;
+
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
"ssl key: \"%s\"", key.data);
if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key,
+ sscf->certificate_cache,
sscf->passwords)
!= NGX_OK)
{
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http upstream ssl key: \"%s\"", key.data);
- if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key,
+ if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key, NULL,
u->conf->ssl_passwords)
!= NGX_OK)
{
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
"stream upstream ssl key: \"%s\"", key.data);
- if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key,
+ if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, NULL,
pscf->ssl_passwords)
!= NGX_OK)
{
static ngx_int_t ngx_stream_ssl_compile_certificates(ngx_conf_t *cf,
ngx_stream_ssl_srv_conf_t *conf);
+static char *ngx_stream_ssl_certificate_cache(ngx_conf_t *cf,
+ ngx_command_t *cmd, void *conf);
static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
offsetof(ngx_stream_ssl_srv_conf_t, certificate_keys),
NULL },
+ { ngx_string("ssl_certificate_cache"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE123,
+ ngx_stream_ssl_certificate_cache,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ 0,
+ NULL },
+
{ ngx_string("ssl_password_file"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_stream_ssl_password_file,
"ssl key: \"%s\"", key.data);
if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key,
+ sscf->certificate_cache,
sscf->passwords)
!= NGX_OK)
{
sscf->handshake_timeout = NGX_CONF_UNSET_MSEC;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
+ sscf->certificate_cache = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->conf_commands = NGX_CONF_UNSET_PTR;
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
+ NULL);
+
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
}
+static char *
+ngx_stream_ssl_certificate_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_stream_ssl_srv_conf_t *sscf = conf;
+
+ time_t inactive, valid;
+ ngx_str_t *value, s;
+ ngx_int_t max;
+ ngx_uint_t i;
+
+ if (sscf->certificate_cache != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ max = 0;
+ inactive = 10;
+ valid = 60;
+
+ for (i = 1; i < cf->args->nelts; i++) {
+
+ if (ngx_strncmp(value[i].data, "max=", 4) == 0) {
+
+ max = ngx_atoi(value[i].data + 4, value[i].len - 4);
+ if (max <= 0) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strncmp(value[i].data, "inactive=", 9) == 0) {
+
+ s.len = value[i].len - 9;
+ s.data = value[i].data + 9;
+
+ inactive = ngx_parse_time(&s, 1);
+ if (inactive == (time_t) NGX_ERROR) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strncmp(value[i].data, "valid=", 6) == 0) {
+
+ s.len = value[i].len - 6;
+ s.data = value[i].data + 6;
+
+ valid = ngx_parse_time(&s, 1);
+ if (valid == (time_t) NGX_ERROR) {
+ goto failed;
+ }
+
+ continue;
+ }
+
+ if (ngx_strcmp(value[i].data, "off") == 0) {
+
+ sscf->certificate_cache = NULL;
+
+ continue;
+ }
+
+ failed:
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid parameter \"%V\"", &value[i]);
+ return NGX_CONF_ERROR;
+ }
+
+ if (sscf->certificate_cache == NULL) {
+ return NGX_CONF_OK;
+ }
+
+ if (max == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "\"ssl_certificate_cache\" must have "
+ "the \"max\" parameter");
+ return NGX_CONF_ERROR;
+ }
+
+ sscf->certificate_cache = ngx_ssl_cache_init(cf->pool, max, valid,
+ inactive);
+ if (sscf->certificate_cache == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
static char *
ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
typedef struct {
- ngx_msec_t handshake_timeout;
+ ngx_msec_t handshake_timeout;
- ngx_flag_t prefer_server_ciphers;
- ngx_flag_t reject_handshake;
+ ngx_flag_t prefer_server_ciphers;
+ ngx_flag_t reject_handshake;
- ngx_ssl_t ssl;
+ ngx_ssl_t ssl;
- ngx_uint_t protocols;
+ ngx_uint_t protocols;
- ngx_uint_t verify;
- ngx_uint_t verify_depth;
+ ngx_uint_t verify;
+ ngx_uint_t verify_depth;
- ssize_t builtin_session_cache;
+ ssize_t builtin_session_cache;
- time_t session_timeout;
+ time_t session_timeout;
- ngx_array_t *certificates;
- ngx_array_t *certificate_keys;
+ ngx_array_t *certificates;
+ ngx_array_t *certificate_keys;
- ngx_array_t *certificate_values;
- ngx_array_t *certificate_key_values;
+ ngx_array_t *certificate_values;
+ ngx_array_t *certificate_key_values;
- ngx_str_t dhparam;
- ngx_str_t ecdh_curve;
- ngx_str_t client_certificate;
- ngx_str_t trusted_certificate;
- ngx_str_t crl;
- ngx_str_t alpn;
+ ngx_ssl_cache_t *certificate_cache;
- ngx_str_t ciphers;
+ ngx_str_t dhparam;
+ ngx_str_t ecdh_curve;
+ ngx_str_t client_certificate;
+ ngx_str_t trusted_certificate;
+ ngx_str_t crl;
+ ngx_str_t alpn;
- ngx_array_t *passwords;
- ngx_array_t *conf_commands;
+ ngx_str_t ciphers;
- ngx_shm_zone_t *shm_zone;
+ ngx_array_t *passwords;
+ ngx_array_t *conf_commands;
- ngx_flag_t session_tickets;
- ngx_array_t *session_ticket_keys;
+ ngx_shm_zone_t *shm_zone;
- ngx_uint_t ocsp;
- ngx_str_t ocsp_responder;
- ngx_shm_zone_t *ocsp_cache_zone;
+ ngx_flag_t session_tickets;
+ ngx_array_t *session_ticket_keys;
- ngx_flag_t stapling;
- ngx_flag_t stapling_verify;
- ngx_str_t stapling_file;
- ngx_str_t stapling_responder;
+ ngx_uint_t ocsp;
+ ngx_str_t ocsp_responder;
+ ngx_shm_zone_t *ocsp_cache_zone;
+
+ ngx_flag_t stapling;
+ ngx_flag_t stapling_verify;
+ ngx_str_t stapling_file;
+ ngx_str_t stapling_responder;
} ngx_stream_ssl_srv_conf_t;
projects / nginx.git / commitdiff