[PATCH 1 of 2] Mail: add SSL Stapling support.
Filipe DA SILVA
fdasilva at ingima.com
Mon Apr 27 08:55:00 UTC 2015
Hi, everybody.
I've noticed that this feature was not available in the SSL mail module.
I was thinking it's easy to have until I have to deal with module post-configuration ;)
Patch is also compatible with previous 1.6 and 1.8 nginx version.
Regards,
Filipe
---
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1430124785 -7200
# Mon Apr 27 10:53:05 2015 +0200
# Branch stable-1.6
# Node ID bc8fc02d70953b3e55a10312130f4c22c5adf1b7
# Parent c94bc8f034ff0a2201a19b9581aa4d8bf15188ec
Mail: add SSL Stapling support.
Same functionality as in http_ssl_module.
Same configuration directives as in http_ssl_module.
Compatible with nginx 1.6 and 1.8
diff -r c94bc8f034ff -r bc8fc02d7095 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Tue Apr 07 18:57:56 2015 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Mon Apr 27 10:53:05 2015 +0200
@@ -137,6 +137,34 @@ static ngx_command_t ngx_mail_ssl_comma
offsetof(ngx_mail_ssl_conf_t, session_timeout),
NULL },
+ { ngx_string("ssl_stapling"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, stapling),
+ NULL },
+
+ { ngx_string("ssl_stapling_file"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, stapling_file),
+ NULL },
+
+ { ngx_string("ssl_stapling_responder"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, stapling_responder),
+ NULL },
+
+ { ngx_string("ssl_stapling_verify"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, stapling_verify),
+ NULL },
+
ngx_null_command
};
@@ -191,6 +219,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
* scf->ecdh_curve = { 0, NULL };
* scf->ciphers = { 0, NULL };
* scf->shm_zone = NULL;
+ * scf->stapling_file = { 0, NULL };
+ * scf->stapling_responder = { 0, NULL };
*/
scf->enable = NGX_CONF_UNSET;
@@ -200,6 +230,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
scf->session_timeout = NGX_CONF_UNSET;
scf->session_tickets = NGX_CONF_UNSET;
scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ scf->stapling = NGX_CONF_UNSET;
+ scf->stapling_verify = NGX_CONF_UNSET;
return scf;
}
@@ -236,6 +268,12 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
NGX_DEFAULT_ECDH_CURVE);
+ ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+ ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
+ ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
@@ -365,6 +403,17 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}
+ if (conf->stapling) {
+
+ if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+ &conf->stapling_responder, conf->stapling_verify)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
+ }
+
return NGX_CONF_OK;
}
diff -r c94bc8f034ff -r bc8fc02d7095 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Tue Apr 07 18:57:56 2015 +0300
+++ b/src/mail/ngx_mail_ssl_module.h Mon Apr 27 10:53:05 2015 +0200
@@ -44,6 +44,11 @@ typedef struct {
ngx_flag_t session_tickets;
ngx_array_t *session_ticket_keys;
+ ngx_flag_t stapling;
+ ngx_flag_t stapling_verify;
+ ngx_str_t stapling_file;
+ ngx_str_t stapling_responder;
+
u_char *file;
ngx_uint_t line;
} ngx_mail_ssl_conf_t;
More information about the nginx-devel
mailing list