[PATCH 1 of 2] Mail: add SSL Stapling support.

Filipe DA SILVA fdasilva at ingima.com
Mon Apr 27 08:55:00 UTC 2015


Hi, everybody.

I've noticed that this feature was not available in the SSL mail module.

I was thinking it's easy to have until I have to deal with module post-configuration ;)

Patch is also compatible with previous 1.6 and 1.8 nginx version.

Regards,
Filipe

---
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1430124785 -7200
#      Mon Apr 27 10:53:05 2015 +0200
# Branch stable-1.6
# Node ID bc8fc02d70953b3e55a10312130f4c22c5adf1b7
# Parent  c94bc8f034ff0a2201a19b9581aa4d8bf15188ec
Mail: add SSL Stapling support.

Same functionality as in http_ssl_module.
Same configuration directives as in http_ssl_module.

Compatible with nginx 1.6 and 1.8

diff -r c94bc8f034ff -r bc8fc02d7095 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Tue Apr 07 18:57:56 2015 +0300
+++ b/src/mail/ngx_mail_ssl_module.c	Mon Apr 27 10:53:05 2015 +0200
@@ -137,6 +137,34 @@ static ngx_command_t  ngx_mail_ssl_comma
       offsetof(ngx_mail_ssl_conf_t, session_timeout),
       NULL },
 
+    { ngx_string("ssl_stapling"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, stapling),
+      NULL },
+
+    { ngx_string("ssl_stapling_file"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, stapling_file),
+      NULL },
+
+    { ngx_string("ssl_stapling_responder"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, stapling_responder),
+      NULL },
+
+    { ngx_string("ssl_stapling_verify"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, stapling_verify),
+      NULL },
+
       ngx_null_command
 };
 
@@ -191,6 +219,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
      *     scf->ecdh_curve = { 0, NULL };
      *     scf->ciphers = { 0, NULL };
      *     scf->shm_zone = NULL;
+     *     scf->stapling_file = { 0, NULL };
+     *     scf->stapling_responder = { 0, NULL };
      */
 
     scf->enable = NGX_CONF_UNSET;
@@ -200,6 +230,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
     scf->session_timeout = NGX_CONF_UNSET;
     scf->session_tickets = NGX_CONF_UNSET;
     scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+    scf->stapling = NGX_CONF_UNSET;
+    scf->stapling_verify = NGX_CONF_UNSET;
 
     return scf;
 }
@@ -236,6 +268,12 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
                          NGX_DEFAULT_ECDH_CURVE);
 
+    ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+    ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
+    ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
+    ngx_conf_merge_str_value(conf->stapling_responder,
+                         prev->stapling_responder, "");
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
 
@@ -365,6 +403,17 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
         return NGX_CONF_ERROR;
     }
 
+    if (conf->stapling) {
+
+        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+                             &conf->stapling_responder, conf->stapling_verify)
+            != NGX_OK)
+        {
+            return NGX_CONF_ERROR;
+        }
+
+    }
+
     return NGX_CONF_OK;
 }
 
diff -r c94bc8f034ff -r bc8fc02d7095 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h	Tue Apr 07 18:57:56 2015 +0300
+++ b/src/mail/ngx_mail_ssl_module.h	Mon Apr 27 10:53:05 2015 +0200
@@ -44,6 +44,11 @@ typedef struct {
     ngx_flag_t       session_tickets;
     ngx_array_t     *session_ticket_keys;
 
+    ngx_flag_t       stapling;
+    ngx_flag_t       stapling_verify;
+    ngx_str_t        stapling_file;
+    ngx_str_t        stapling_responder;
+
     u_char          *file;
     ngx_uint_t       line;
 } ngx_mail_ssl_conf_t;



More information about the nginx-devel mailing list