13
13
ngx_pool_t *pool, ngx_str_t *s);
16
#define NGX_DEFLAUT_CERTIFICATE "cert.pem"
17
#define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem"
18
#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
16
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
21
19
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
28
26
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
29
27
void *parent, void *child);
29
static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
31
31
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
52
static ngx_conf_enum_t ngx_http_ssl_verify[] = {
53
{ ngx_string("off"), 0 },
54
{ ngx_string("on"), 1 },
55
{ ngx_string("ask"), 2 },
56
{ ngx_null_string, 0 }
52
60
static ngx_command_t ngx_http_ssl_commands[] = {
54
62
{ ngx_string("ssl"),
55
63
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
56
ngx_conf_set_flag_slot,
57
65
NGX_HTTP_SRV_CONF_OFFSET,
58
66
offsetof(ngx_http_ssl_srv_conf_t, enable),
72
80
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
83
{ ngx_string("ssl_dhparam"),
84
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
85
ngx_conf_set_str_slot,
86
NGX_HTTP_SRV_CONF_OFFSET,
87
offsetof(ngx_http_ssl_srv_conf_t, dhparam),
75
90
{ ngx_string("ssl_protocols"),
76
91
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
77
92
ngx_conf_set_bitmask_slot,
89
104
{ ngx_string("ssl_verify_client"),
90
105
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
91
ngx_conf_set_flag_slot,
106
ngx_conf_set_enum_slot,
92
107
NGX_HTTP_SRV_CONF_OFFSET,
93
108
offsetof(ngx_http_ssl_srv_conf_t, verify),
109
&ngx_http_ssl_verify },
96
111
{ ngx_string("ssl_verify_depth"),
97
112
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
175
190
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
176
191
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
193
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
194
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
196
{ ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
197
(uintptr_t) ngx_ssl_get_raw_certificate,
198
NGX_HTTP_VAR_CHANGEABLE, 0 },
178
200
{ ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
179
201
(uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
287
309
* set by ngx_pcalloc():
289
311
* sscf->protocols = 0;
290
* sscf->certificate.len = 0;
291
* sscf->certificate.data = NULL;
292
* sscf->certificate_key.len = 0;
293
* sscf->certificate_key.data = NULL;
294
* sscf->client_certificate.len = 0;
295
* sscf->client_certificate.data = NULL;
312
* sscf->certificate = { 0, NULL };
313
* sscf->certificate_key = { 0, NULL };
314
* sscf->dhparam = { 0, NULL };
315
* sscf->client_certificate = { 0, NULL };
296
316
* sscf->ciphers.len = 0;
297
317
* sscf->ciphers.data = NULL;
298
318
* sscf->shm_zone = NULL;
301
321
sscf->enable = NGX_CONF_UNSET;
302
sscf->verify = NGX_CONF_UNSET;
303
sscf->verify_depth = NGX_CONF_UNSET;
304
322
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
323
sscf->verify = NGX_CONF_UNSET_UINT;
324
sscf->verify_depth = NGX_CONF_UNSET_UINT;
305
325
sscf->builtin_session_cache = NGX_CONF_UNSET;
306
326
sscf->session_timeout = NGX_CONF_UNSET;
333
349
(NGX_CONF_BITMASK_SET
334
350
|NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
336
ngx_conf_merge_value(conf->verify, prev->verify, 0);
337
ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1);
339
ngx_conf_merge_str_value(conf->certificate, prev->certificate,
340
NGX_DEFLAUT_CERTIFICATE);
342
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
343
NGX_DEFLAUT_CERTIFICATE_KEY);
352
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
353
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
355
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
356
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
358
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
345
360
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
348
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
363
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
351
366
conf->ssl.log = cf->log;
370
if (conf->certificate.len == 0) {
371
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
372
"no \"ssl_certificate\" is defined for "
373
"the \"ssl\" directive in %s:%ui",
374
conf->file, conf->line);
375
return NGX_CONF_ERROR;
378
if (conf->certificate_key.len == 0) {
379
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
380
"no \"ssl_certificate_key\" is defined for "
381
"the \"ssl\" directive in %s:%ui",
382
conf->file, conf->line);
383
return NGX_CONF_ERROR;
388
if (conf->certificate.len == 0) {
392
if (conf->certificate_key.len == 0) {
393
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
394
"no \"ssl_certificate_key\" is defined "
395
"for certificate \"%V\"", &conf->certificate);
396
return NGX_CONF_ERROR;
353
400
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
354
401
return NGX_CONF_ERROR;
394
441
if (conf->verify) {
443
if (conf->client_certificate.len == 0) {
444
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
445
"no ssl_client_certificate for ssl_client_verify");
446
return NGX_CONF_ERROR;
395
449
if (ngx_ssl_client_certificate(cf, &conf->ssl,
396
450
&conf->client_certificate,
397
451
conf->verify_depth)
495
ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
497
ngx_http_ssl_srv_conf_t *sscf = conf;
501
rv = ngx_conf_set_flag_slot(cf, cmd, conf);
503
if (rv != NGX_CONF_OK) {
507
sscf->file = cf->conf_file->file.name.data;
508
sscf->line = cf->conf_file->line;
437
515
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
439
517
ngx_http_ssl_srv_conf_t *sscf = conf;