[nginx] svn commit: r4246 - in branches/stable-1.0: . src/event src/http src/http/modules

igor at sysoev.ru igor at sysoev.ru
Tue Nov 1 13:00:30 UTC 2011


Author: is
Date: 2011-11-01 13:00:30 +0000 (Tue, 01 Nov 2011)
New Revision: 4246

Modified:
   branches/stable-1.0/
   branches/stable-1.0/src/event/ngx_event_openssl.c
   branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c
   branches/stable-1.0/src/http/ngx_http_request.c
Log:
Merging r4034, r4186, r4187, r4229, r4235, r4237:

SSL related fixes:

*) Better handling of various per-server ssl options with SNI.

   SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
   structure, it only changes certificates (at least as of now, OpenSSL
   1.0.0d and earlier).
   
   As a result settings like ssl_verify_client, ssl_verify_depth,
   ssl_prefer_server_ciphers are only configurable on per-socket basis while
   with SNI it should be possible to specify them different for two servers
   listening on the same socket.
   
   Workaround is to explicitly re-apply settings we care about from context
   to ssl connection in servername callback.
   
   Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+.  I.e.
   with older versions it is not possible to clear ssl_prefer_server_ciphers
   option if it's set in default server for a socket.

*) Disabling SSL compression. This saves about 300K per SSL connection.
   The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.

*) Releasing memory of idle SSL connection. This saves about 34K per SSL
   connection. The SSL_MODE_RELEASE_BUFFERS option is available since
   OpenSSL 1.0.0d.

*) Decrease of log level of some SSL handshake errors.

*) Fixed segfault on configuration testing with ssl (ticket #37).

   The following config caused segmentation fault due to conf->file not
   being properly set if "ssl on" was inherited from the http level:
   
   http {
       ssl on;
       server {
       }
   }

*) Silently ignoring a stale global SSL error left after disabled renegotiation.




Property changes on: branches/stable-1.0
___________________________________________________________________
Modified: svn:mergeinfo
   - /trunk:3960-3974,3977-3987,3991-3996,3998,4003-4007,4009-4013,4015-4018,4020,4023,4025-4027,4035-4065,4073,4077,4086-4090,4094-4102,4106-4108,4113-4114,4129-4131,4133,4135-4137,4154,4156-4157,4184,4192,4200-4205
   + /trunk:3960-3974,3977-3987,3991-3996,3998,4003-4007,4009-4013,4015-4018,4020,4023,4025-4027,4034-4065,4073,4077,4086-4090,4094-4102,4106-4108,4113-4114,4129-4131,4133,4135-4137,4154,4156-4157,4184,4186-4187,4192,4200-4205,4229,4235,4237

Modified: branches/stable-1.0/src/event/ngx_event_openssl.c
===================================================================
--- branches/stable-1.0/src/event/ngx_event_openssl.c	2011-11-01 11:26:56 UTC (rev 4245)
+++ branches/stable-1.0/src/event/ngx_event_openssl.c	2011-11-01 13:00:30 UTC (rev 4246)
@@ -175,6 +175,14 @@
         SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
     }
 
+#ifdef SSL_OP_NO_COMPRESSION
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
+#endif
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
@@ -855,6 +863,13 @@
 
         ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
 
+        while (ERR_peek_error()) {
+            ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
+                          "ignoring stale global SSL error");
+        }
+
+        ERR_clear_error();
+
         c->ssl->no_wait_shutdown = 1;
         c->ssl->no_send_shutdown = 1;
 
@@ -1344,19 +1359,37 @@
         n = ERR_GET_REASON(ERR_peek_error());
 
             /* handshake failures */
-        if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                     /*  129 */
+        if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
+            || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  /*  129 */
             || n == SSL_R_DIGEST_CHECK_FAILED                        /*  149 */
+            || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              /*  151 */
+            || n == SSL_R_EXCESSIVE_MESSAGE_SIZE                     /*  152 */
             || n == SSL_R_LENGTH_MISMATCH                            /*  159 */
             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
             || n == SSL_R_NO_CIPHERS_SPECIFIED                       /*  183 */
+            || n == SSL_R_NO_COMPRESSION_SPECIFIED                   /*  187 */
             || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
             || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
+#ifdef SSL_R_PARSE_TLSEXT
+            || n == SSL_R_PARSE_TLSEXT                               /*  227 */
+#endif
             || n == SSL_R_UNEXPECTED_MESSAGE                         /*  244 */
             || n == SSL_R_UNEXPECTED_RECORD                          /*  245 */
             || n == SSL_R_UNKNOWN_ALERT_TYPE                         /*  246 */
             || n == SSL_R_UNKNOWN_PROTOCOL                           /*  252 */
             || n == SSL_R_WRONG_VERSION_NUMBER                       /*  267 */
             || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        /*  281 */
+#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
+            || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
+            || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */
+            || n == SSL_R_RENEGOTIATION_MISMATCH                     /*  337 */
+#endif
+#ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
+            || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED       /*  338 */
+#endif
+#ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
+            || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING           /*  345 */
+#endif
             || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
             || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             /* 1010 */
             || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 /* 1020 */

Modified: branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c	2011-11-01 11:26:56 UTC (rev 4245)
+++ branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c	2011-11-01 13:00:30 UTC (rev 4246)
@@ -346,8 +346,17 @@
 
     ngx_pool_cleanup_t  *cln;
 
-    ngx_conf_merge_value(conf->enable, prev->enable, 0);
+    if (conf->enable == NGX_CONF_UNSET) {
+        if (prev->enable == NGX_CONF_UNSET) {
+            conf->enable = 0;
 
+        } else {
+            conf->enable = prev->enable;
+            conf->file = prev->file;
+            conf->line = prev->line;
+        }
+    }
+
     ngx_conf_merge_value(conf->session_timeout,
                          prev->session_timeout, 300);
 

Modified: branches/stable-1.0/src/http/ngx_http_request.c
===================================================================
--- branches/stable-1.0/src/http/ngx_http_request.c	2011-11-01 11:26:56 UTC (rev 4245)
+++ branches/stable-1.0/src/http/ngx_http_request.c	2011-11-01 13:00:30 UTC (rev 4246)
@@ -673,6 +673,24 @@
 
     SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
 
+    /*
+     * SSL_set_SSL_CTX() only changes certs as of 1.0.0d
+     * adjust other things we care about
+     */
+
+    SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
+                   SSL_CTX_get_verify_callback(sscf->ssl.ctx));
+
+    SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
+
+#ifdef SSL_CTRL_CLEAR_OPTIONS
+    /* only in 0.9.8m+ */
+    SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
+                                ~SSL_CTX_get_options(sscf->ssl.ctx));
+#endif
+
+    SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
+
     return SSL_TLSEXT_ERR_OK;
 }
 



More information about the nginx-devel mailing list