[nginx] SSL: support for multiple certificates (ticket #814).
Maxim Dounin
mdounin at mdounin.ru
Thu May 19 17:30:27 UTC 2016
details: http://hg.nginx.org/nginx/rev/51e1f047d15d
branches:
changeset: 6550:51e1f047d15d
user: Maxim Dounin <mdounin at mdounin.ru>
date: Thu May 19 14:46:32 2016 +0300
description:
SSL: support for multiple certificates (ticket #814).
diffstat:
src/event/ngx_event_openssl.c | 23 +++++++++++++++++
src/event/ngx_event_openssl.h | 2 +
src/http/modules/ngx_http_ssl_module.c | 46 ++++++++++++++++++++++-----------
src/http/modules/ngx_http_ssl_module.h | 5 ++-
src/mail/ngx_mail_ssl_module.c | 45 ++++++++++++++++++++++-----------
src/mail/ngx_mail_ssl_module.h | 5 ++-
src/stream/ngx_stream_ssl_module.c | 30 ++++++++++++---------
src/stream/ngx_stream_ssl_module.h | 5 ++-
8 files changed, 112 insertions(+), 49 deletions(-)
diffs (413 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -322,6 +322,29 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
ngx_int_t
+ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
+ ngx_array_t *keys, ngx_array_t *passwords)
+{
+ ngx_str_t *cert, *key;
+ ngx_uint_t i;
+
+ cert = certs->elts;
+ key = keys->elts;
+
+ for (i = 0; i < certs->nelts; i++) {
+
+ if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_str_t *key, ngx_array_t *passwords)
{
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -140,6 +140,8 @@ typedef struct {
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
+ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -81,16 +81,16 @@ static ngx_command_t ngx_http_ssl_comma
{ ngx_string("ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET,
- offsetof(ngx_http_ssl_srv_conf_t, certificate),
+ offsetof(ngx_http_ssl_srv_conf_t, certificates),
NULL },
{ ngx_string("ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_HTTP_SRV_CONF_OFFSET,
- offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
+ offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
NULL },
{ ngx_string("ssl_password_file"),
@@ -508,8 +508,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
* set by ngx_pcalloc():
*
* sscf->protocols = 0;
- * sscf->certificate = { 0, NULL };
- * sscf->certificate_key = { 0, NULL };
* sscf->dhparam = { 0, NULL };
* sscf->ecdh_curve = { 0, NULL };
* sscf->client_certificate = { 0, NULL };
@@ -526,6 +524,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT;
+ sscf->certificates = NGX_CONF_UNSET_PTR;
+ sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
@@ -573,8 +573,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
- ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
+ NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@@ -601,7 +602,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
if (conf->enable) {
- if (conf->certificate.len == 0) {
+ if (conf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"ssl\" directive in %s:%ui",
@@ -609,7 +610,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
return NGX_CONF_ERROR;
}
- if (conf->certificate_key.len == 0) {
+ if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"ssl\" directive in %s:%ui",
@@ -617,16 +618,31 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
return NGX_CONF_ERROR;
}
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\" and "
+ "the \"ssl\" directive in %s:%ui",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1,
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
} else {
- if (conf->certificate.len == 0) {
+ if (conf->certificates == NULL) {
return NGX_CONF_OK;
}
- if (conf->certificate_key.len == 0) {
+ if (conf->certificate_keys == NULL
+ || conf->certificate_keys->nelts < conf->certificates->nelts)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &conf->certificate);
+ "for certificate \"%V\"",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
}
@@ -666,8 +682,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
- if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key, conf->passwords)
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+ conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -32,8 +32,9 @@ typedef struct {
time_t session_timeout;
- ngx_str_t certificate;
- ngx_str_t certificate_key;
+ ngx_array_t *certificates;
+ ngx_array_t *certificate_keys;
+
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -73,16 +73,16 @@ static ngx_command_t ngx_mail_ssl_comma
{ ngx_string("ssl_certificate"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_MAIL_SRV_CONF_OFFSET,
- offsetof(ngx_mail_ssl_conf_t, certificate),
+ offsetof(ngx_mail_ssl_conf_t, certificates),
NULL },
{ ngx_string("ssl_certificate_key"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_MAIL_SRV_CONF_OFFSET,
- offsetof(ngx_mail_ssl_conf_t, certificate_key),
+ offsetof(ngx_mail_ssl_conf_t, certificate_keys),
NULL },
{ ngx_string("ssl_password_file"),
@@ -238,8 +238,6 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
* set by ngx_pcalloc():
*
* scf->protocols = 0;
- * scf->certificate = { 0, NULL };
- * scf->certificate_key = { 0, NULL };
* scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL };
* scf->client_certificate = { 0, NULL };
@@ -251,6 +249,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
scf->enable = NGX_CONF_UNSET;
scf->starttls = NGX_CONF_UNSET_UINT;
+ scf->certificates = NGX_CONF_UNSET_PTR;
+ scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
@@ -290,8 +290,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
- ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
+ NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@@ -328,7 +329,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
if (*mode) {
- if (conf->certificate.len == 0) {
+ if (conf->certificates == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"%s\" directive in %s:%ui",
@@ -336,7 +337,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}
- if (conf->certificate_key.len == 0) {
+ if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"%s\" directive in %s:%ui",
@@ -344,17 +345,31 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\" and "
+ "the \"ssl\" directive in %s:%ui",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1,
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
} else {
- if (conf->certificate.len == 0) {
+ if (conf->certificates == NULL) {
return NGX_CONF_OK;
}
- if (conf->certificate_key.len == 0) {
+ if (conf->certificate_keys == NULL
+ || conf->certificate_keys->nelts < conf->certificates->nelts)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"",
- &conf->certificate);
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
}
@@ -371,8 +386,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
- if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key, conf->passwords)
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+ conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -35,8 +35,9 @@ typedef struct {
time_t session_timeout;
- ngx_str_t certificate;
- ngx_str_t certificate_key;
+ ngx_array_t *certificates;
+ ngx_array_t *certificate_keys;
+
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -45,16 +45,16 @@ static ngx_command_t ngx_stream_ssl_com
{ ngx_string("ssl_certificate"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_STREAM_SRV_CONF_OFFSET,
- offsetof(ngx_stream_ssl_conf_t, certificate),
+ offsetof(ngx_stream_ssl_conf_t, certificates),
NULL },
{ ngx_string("ssl_certificate_key"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_conf_set_str_array_slot,
NGX_STREAM_SRV_CONF_OFFSET,
- offsetof(ngx_stream_ssl_conf_t, certificate_key),
+ offsetof(ngx_stream_ssl_conf_t, certificate_keys),
NULL },
{ ngx_string("ssl_password_file"),
@@ -175,8 +175,6 @@ ngx_stream_ssl_create_conf(ngx_conf_t *c
* set by ngx_pcalloc():
*
* scf->protocols = 0;
- * scf->certificate = { 0, NULL };
- * scf->certificate_key = { 0, NULL };
* scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL };
* scf->ciphers = { 0, NULL };
@@ -184,6 +182,8 @@ ngx_stream_ssl_create_conf(ngx_conf_t *c
*/
scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
+ scf->certificates = NGX_CONF_UNSET_PTR;
+ scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->builtin_session_cache = NGX_CONF_UNSET;
@@ -216,8 +216,9 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
- ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
+ ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
+ NULL);
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
@@ -231,15 +232,18 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
conf->ssl.log = cf->log;
- if (conf->certificate.len == 0) {
+ if (conf->certificates == NULL) {
return NGX_CONF_OK;
}
- if (conf->certificate_key.len == 0) {
+ if (conf->certificate_keys == NULL
+ || conf->certificate_keys->nelts < conf->certificates->nelts)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\"",
- &conf->certificate);
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
@@ -255,8 +259,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
- if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key, conf->passwords)
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+ conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@@ -27,8 +27,9 @@ typedef struct {
time_t session_timeout;
- ngx_str_t certificate;
- ngx_str_t certificate_key;
+ ngx_array_t *certificates;
+ ngx_array_t *certificate_keys;
+
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
More information about the nginx-devel
mailing list