[PATCH 5 of 6] SSL : ...
Filipe DA SILVA
fdasilva at ingima.com
Thu Apr 16 10:10:59 UTC 2015
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1429178262 -7200
# Thu Apr 16 11:57:42 2015 +0200
# Node ID b6a6508616eec10a7d2891d97b27d3bdc784a26b
# Parent 257767ac10541b1d94e6c93b19a1d5ebd3569abf
SSL: introduce Multiple server Cert support.
diff -r 257767ac1054 -r b6a6508616ee src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl.c Thu Apr 16 11:57:42 2015 +0200
@@ -334,6 +334,36 @@ ngx_ssl_get_server_certificate(ngx_ssl_t
ngx_int_t
+ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
+ ngx_array_t *keys, ngx_array_t *passwords)
+{
+ ngx_uint_t i, j;
+ ngx_str_t *cert;
+ ngx_str_t *key;
+
+ /* Load server certificates */
+ cert = certs->elts;
+ for (i = 0; i < certs->nelts; i++, cert++) {
+ if (ngx_ssl_server_certificate(cf, ssl, cert) != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
+ /* Load private keys */
+ key = keys->elts;
+ for (j = 0; j < keys->nelts; j++, key++) {
+ if (ngx_ssl_private_key(cf, ssl, key, passwords) != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_str_t *key, ngx_array_t *passwords)
{
@@ -2227,18 +2257,17 @@ ngx_ssl_session_id_context(ngx_ssl_t *ss
cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
while (cert) {
- /* TODO: fix loop indentation */
- if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "X509_digest() failed");
- goto failed;
- }
-
- if (EVP_DigestUpdate(&md, buf, len) == 0) {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "EVP_DigestUpdate() failed");
- goto failed;
- }
+ if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "X509_digest() failed");
+ goto failed;
+ }
+
+ if (EVP_DigestUpdate(&md, buf, len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
/* get next server certificate, if any */
cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_NEXT_CERT);
diff -r 257767ac1054 -r b6a6508616ee src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl.h Thu Apr 16 11:57:42 2015 +0200
@@ -124,6 +124,8 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 257767ac1054 -r b6a6508616ee src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Apr 16 11:57:41 2015 +0200
+++ b/src/http/modules/ngx_http_ssl_module.c Thu Apr 16 11:57:42 2015 +0200
@@ -81,16 +81,16 @@ static ngx_command_t ngx_http_ssl_comma
{ ngx_string("ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET,
- offsetof(ngx_http_ssl_srv_conf_t, certificate),
+ offsetof(ngx_http_ssl_srv_conf_t, certificates),
NULL },
{ ngx_string("ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET,
- offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
+ offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
NULL },
{ ngx_string("ssl_password_file"),
@@ -505,8 +505,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
* set by ngx_pcalloc():
*
* sscf->protocols = 0;
- * sscf->certificate = { 0, NULL };
- * sscf->certificate_key = { 0, NULL };
* sscf->dhparam = { 0, NULL };
* sscf->ecdh_curve = { 0, NULL };
* sscf->client_certificate = { 0, NULL };
@@ -523,6 +521,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT;
+ sscf->certificates = NGX_CONF_UNSET_PTR;
+ sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
@@ -570,8 +570,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
- ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
+ NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@@ -598,7 +599,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
if (conf->enable) {
- if (conf->certificate.len == 0) {
+ if (!conf->certificates || conf->certificates->nelts == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"ssl\" directive in %s:%ui",
@@ -606,7 +607,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
return NGX_CONF_ERROR;
}
- if (conf->certificate_key.len == 0) {
+ if (!conf->certificate_keys || conf->certificate_keys->nelts == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"ssl\" directive in %s:%ui",
@@ -616,18 +617,38 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
} else {
- if (conf->certificate.len == 0) {
+ if (!conf->certificates || conf->certificates->nelts == 0) {
return NGX_CONF_OK;
}
- if (conf->certificate_key.len == 0) {
+ if (!conf->certificate_keys || conf->certificate_keys->nelts == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &conf->certificate);
+ "for certificate \"%V\"", &conf->certificates[0]);
+ return NGX_CONF_ERROR;
+ }
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\"",
+ &conf->certificates[conf->certificate_keys->nelts]);
return NGX_CONF_ERROR;
}
}
+#ifndef SSL_CTX_add0_chain_cert
+ if (conf->certificates->nelts > 1) {
+ /*
+ * no multiple certificates support for OpenSSL < 1.0.2,
+ * so we need to alarm user
+ */
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "Multiple certificate configured in "
+ "\"ssl_certificate\", but OpenSSL < 1.0.2 used");
+ return NGX_CONF_ERROR;
+ }
+#endif
+
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -663,8 +684,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
- if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key, conf->passwords)
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+ conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 257767ac1054 -r b6a6508616ee src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Thu Apr 16 11:57:41 2015 +0200
+++ b/src/http/modules/ngx_http_ssl_module.h Thu Apr 16 11:57:42 2015 +0200
@@ -32,8 +32,8 @@ typedef struct {
time_t session_timeout;
- ngx_str_t certificate;
- ngx_str_t certificate_key;
+ ngx_array_t *certificates;
+ ngx_array_t *certificate_keys;
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
More information about the nginx-devel
mailing list