[PATCH] Mail: send starttls flag value to auth script
Filipe Da Silva
fdasilvayy at gmail.com
Sat Mar 7 15:56:21 UTC 2015
Hi,
There is small issue, in my previous patch.
This one is looking for the right flag.
Rgs,
Filipe
2015-03-07 11:34 GMT+01:00 Filipe Da Silva <fdasilvayy at gmail.com>:
> I think that the half way solution is this one attached :
>
> - when an SSL connection is active : "Auth-SSL: on" ( current code status)
> - else when it could have been active (using STARTTLS): "Auth-SSL: off"
> - else SSL was disabled: there is nothing to send.
>
> Regards,
> Filipe DA SILVA.
>
> 2015-03-03 17:28 GMT+01:00 Michael Kliewe <info at phpgangsta.de>:
>> Hi Maxim,
>>
>> On Mar 3, 2015, at 4:50 PM, Maxim Dounin wrote:
>>
>>> Hello!
>>>
>>> On Tue, Mar 03, 2015 at 03:14:50PM +0100, Michael Kliewe wrote:
>>>
>>>> Hi again,
>>>>
>>>> On Mar 2, 2015, at 3:56 PM, Maxim Dounin wrote:
>>>>
>>>> I'm sorry, I don't really want to repeat my arguments, but as I
>>>> said I don't have control over all nginx servers that are used.
>>>> Some will be "older", some will be newer. And I cannot force
>>>> "them" to introduce the auth_http_header to just send the nginx
>>>> version or capability of sending Auth-SSL header or not...
>>>
>>> If you can't, than just switch off warnings till the update is
>>> complete, as already suggested.
>>
>> That might take months or years, some are out of my control as I said.
>> And we are already sending warnings currently because of the patch from Filipe, which works fine.
>> I cannot use your modified patch, I still have to patch Filipes version manually then.
>>
>>>
>>>> Filipe's patch is working fine since > 6 month, it's either
>>>> sending 0 or 1. The 0 is an important information and should not
>>>> be dropped.
>>>>
>>>> Can you tell me the disadvantage of sending "off" in case the
>>>> connection is unencrypted? I don't really see the problem at the
>>>> moment why you don't add the else branch, you are dropping
>>>> information that is needed (and that was there in the original
>>>> patch)... It's just 3 lines more code and doesn't hurt anybody,
>>>> but provides important information to the auth script.
>>>
>>> As already explained, the problem is that the header will be added
>>> forever for all setups, and it will be waste of resources in all
>>> these setups. It will be waste of resources in your setup as well
>>> after the transition period.
>>
>> But you are already adding the header in case it is an encrypted connection, which currently is >90% of all cases, at least here in Germany. If you call that "waste of ressources", you are already doing that for 90% of all IMAP/POP3 connections, I'm just asking to do that for the last 10% that are unencrypted (and will fade away during the next years, as more and more providers disallow unencrypted connections).
>> I'm just asking for the last 10% of connections, which are the important ones, if you need that feature.
>>
>> Otherwise I still have to use the patch from Filipe everywhere, because it allows slow migration and distinction between "encrypted", "unencrypted" and "unknown" in the auth script.
>>
>> If you want to be as efficient as possible, you should send just "AUTH_SSL: off" in case of an unencrypted connection, and no header at all for an encrypted connection. That would be a lot better, because >90% of all IMAP/POP3 connections are encrypted today.
>>
>> Michael
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
# HG changeset patch
# Parent ec01b1d1fff12468fe1a2a1ee8e385c514358356
ssl: remove some magic numbers about SSL verify setting .
diff -r ec01b1d1fff1 -r c3b52156de53 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Feb 25 17:48:05 2015 +0300
+++ b/src/event/ngx_event_openssl.h Thu Feb 26 14:06:24 2015 +0100
@@ -114,6 +114,11 @@ typedef struct {
#define NGX_SSL_TLSv1_2 0x0020
+#define NGX_SSL_VERIFY_OFF 0
+#define NGX_SSL_VERIFY_ON 1
+#define NGX_SSL_VERIFY_OPTIONAL 2
+#define NGX_SSL_VERIFY_OPTIONAL_NO_CA 3
+
#define NGX_SSL_BUFFER 1
#define NGX_SSL_CLIENT 2
diff -r ec01b1d1fff1 -r c3b52156de53 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Wed Feb 25 17:48:05 2015 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Thu Feb 26 14:06:24 2015 +0100
@@ -62,10 +62,10 @@ static ngx_conf_bitmask_t ngx_http_ssl_
static ngx_conf_enum_t ngx_http_ssl_verify[] = {
- { ngx_string("off"), 0 },
- { ngx_string("on"), 1 },
- { ngx_string("optional"), 2 },
- { ngx_string("optional_no_ca"), 3 },
+ { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+ { ngx_string("on"), NGX_SSL_VERIFY_ON },
+ { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+ { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
{ ngx_null_string, 0 }
};
@@ -567,7 +567,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
- ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+ ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
@@ -684,7 +684,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0 && conf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
diff -r ec01b1d1fff1 -r c3b52156de53 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Wed Feb 25 17:48:05 2015 +0300
+++ b/src/http/ngx_http_request.c Thu Feb 26 14:06:24 2015 +0100
@@ -1849,7 +1849,8 @@ ngx_http_process_request(ngx_http_reques
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sscf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+ || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -1862,7 +1863,7 @@ ngx_http_process_request(ngx_http_reques
return;
}
- if (sscf->verify == 1) {
+ if (sscf->verify == NGX_SSL_VERIFY_ON) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
diff -r ec01b1d1fff1 -r c3b52156de53 src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c Wed Feb 25 17:48:05 2015 +0300
+++ b/src/mail/ngx_mail_handler.c Thu Feb 26 14:06:24 2015 +0100
@@ -291,7 +291,8 @@ ngx_mail_verify_cert(ngx_mail_session_t
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sslcf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+ || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
diff -r ec01b1d1fff1 -r c3b52156de53 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Wed Feb 25 17:48:05 2015 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Thu Feb 26 14:06:24 2015 +0100
@@ -47,10 +47,10 @@ static ngx_conf_bitmask_t ngx_mail_ssl_
static ngx_conf_enum_t ngx_mail_ssl_verify[] = {
- { ngx_string("off"), 0 },
- { ngx_string("on"), 1 },
- { ngx_string("optional"), 2 },
- { ngx_string("optional_no_ca"), 3 },
+ { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+ { ngx_string("on"), NGX_SSL_VERIFY_ON },
+ { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+ { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
{ ngx_null_string, 0 }
};
@@ -287,7 +287,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
- ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+ ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
More information about the nginx-devel
mailing list