merge r3155, r3156, r3160, r969, r3191, r3197, r3358:

author Igor Sysoev <igor@sysoev.ru>

Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)

committer Igor Sysoev <igor@sysoev.ru>

Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)
author Igor Sysoev <igor@sysoev.ru>
Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)
committer Igor Sysoev <igor@sysoev.ru>
Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf

index 731db80d72c2d0965cfc0ff32f00799873c61cc5..64f2ce02fae2beb0128e822b1e68af7eee73d073 100644 (file)
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -25,10 +25,10 @@ if [ $OPENSSL != NONE ]; then
              have=NGX_OPENSSL . auto/have
              have=NGX_SSL . auto/have
  
-            CORE_INCS="$CORE_INCS $OPENSSL/openssl/include"
-            CORE_DEPS="$CORE_DEPS $OPENSSL/openssl/include/openssl/ssl.h"
-            CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libssl.a"
-            CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libcrypto.a"
+            CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
+            CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
+            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
+            CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
              CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
          ;;
      esac
diff --git a/auto/lib/openssl/make b/auto/lib/openssl/make

index 3c21f436b8744c2222c7453779564e33adf51591..d497d88e18b894262ab646be87d014c933ca4130 100644 (file)
--- a/auto/lib/openssl/make
+++ b/auto/lib/openssl/make
@@ -46,13 +46,13 @@ END
          esac
  
          case $OPENSSL in
-            /*) ngx_prefix="$OPENSSL/openssl" ;;
-            *)  ngx_prefix="$PWD/$OPENSSL/openssl" ;;
+            /*) ngx_prefix="$OPENSSL/.openssl" ;;
+            *)  ngx_prefix="$PWD/$OPENSSL/.openssl" ;;
          esac
  
          cat << END                                            >> $NGX_MAKEFILE
  
-$OPENSSL/openssl/include/openssl/ssl.h:        $NGX_MAKEFILE
+$OPENSSL/.openssl/include/openssl/ssl.h:       $NGX_MAKEFILE
         cd $OPENSSL \\
         && \$(MAKE) clean \\
         && ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c

index a99552c10f8880657aea2378ac57830c1658ed11..91609ba4c362f5e5d8d625f8b736a996cdbc7ddd 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1313,6 +1313,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
              || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
              || n == SSL_R_UNEXPECTED_MESSAGE                         /*  244 */
              || n == SSL_R_UNEXPECTED_RECORD                          /*  245 */
+            || n == SSL_R_UNKNOWN_PROTOCOL                           /*  252 */
              || n == SSL_R_WRONG_VERSION_NUMBER                       /*  267 */
              || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        /*  281 */
              || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
@@ -1628,7 +1629,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
      hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
  
      ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "http ssl new session: %08XD:%d:%d",
+                   "ssl new session: %08XD:%d:%d",
                     hash, sess->session_id_length, len);
  
      sess_id->node.key = hash;
@@ -1691,7 +1692,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len,
      *copy = 0;
  
      ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "http ssl get session: %08XD:%d", hash, len);
+                   "ssl get session: %08XD:%d", hash, len);
  
      shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
                                     ngx_ssl_session_cache_index);
@@ -1805,7 +1806,7 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
      hash = ngx_crc32_short(id, len);
  
      ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
-                   "http ssl remove session: %08XD:%uz", hash, len);
+                   "ssl remove session: %08XD:%uz", hash, len);
  
      shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
  
@@ -1968,6 +1969,40 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
  }
  
  
+ngx_int_t
+ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    int           len;
+    u_char       *p, *buf;
+    SSL_SESSION  *sess;
+
+    sess = SSL_get0_session(c->ssl->connection);
+
+    len = i2d_SSL_SESSION(sess, NULL);
+
+    buf = ngx_alloc(len, c->log);
+    if (buf == NULL) {
+        return NGX_ERROR;
+    }
+
+    s->len = 2 * len;
+    s->data = ngx_pnalloc(pool, 2 * len);
+    if (s->data == NULL) {
+        ngx_free(buf);
+        return NGX_ERROR;
+    }
+
+    p = buf;
+    i2d_SSL_SESSION(sess, &p);
+
+    ngx_hex_dump(s->data, buf, len);
+
+    ngx_free(buf);
+
+    return NGX_OK;
+}
+
+
  ngx_int_t
  ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
  {
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h

index 21e22ebd8cf934d009cffc8bfb9e550af8835b1e..f3b5a2558eec315088caed5d7099188a1216bf57 100644 (file)
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -119,6 +119,8 @@ ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
  ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
+ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
  ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
  ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c

index e428c36dea8d4c48ee0a08cd366401dfd6771aaf..3fe0d4366f1f12e5f4c80e8f03d7ccf6a9a39d05 100644 (file)
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -13,7 +13,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
      ngx_pool_t *pool, ngx_str_t *s);
  
  
-#define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
+#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
  
  
  static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
@@ -184,6 +184,9 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
      { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
        (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
  
+    { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
      { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
        (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
  
@@ -344,8 +347,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                           prev->prefer_server_ciphers, 0);
  
      ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
-                         (NGX_CONF_BITMASK_SET
-                          |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+                         (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
  
      ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
      ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c

index 025df54d70f360a8bb52bb35d0b26700cb00c2d2..90f2b1b2b16922abd3f29df7073d58b6c9e5f4a5 100644 (file)
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -9,7 +9,7 @@
  #include <ngx_mail.h>
  
  
-#define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
+#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
  
  
  static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
@@ -198,8 +198,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                           prev->prefer_server_ciphers, 0);
  
      ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
-                         (NGX_CONF_BITMASK_SET
-                          |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+                         (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
  
      ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
      ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
author	Igor Sysoev <igor@sysoev.ru>
	Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)
committer	Igor Sysoev <igor@sysoev.ru>
	Mon, 1 Feb 2010 14:39:16 +0000 (14:39 +0000)
auto/lib/openssl/conf		patch \| blob \| history
auto/lib/openssl/make		patch \| blob \| history
src/event/ngx_event_openssl.c		patch \| blob \| history
src/event/ngx_event_openssl.h		patch \| blob \| history
src/http/modules/ngx_http_ssl_module.c		patch \| blob \| history
src/mail/ngx_mail_ssl_module.c		patch \| blob \| history