SSL: detect "listen ... ssl" without certificates (ticket #178).
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.
In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 7d62176..ca33b51 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -966,10 +966,12 @@
static ngx_int_t
ngx_http_ssl_init(ngx_conf_t *cf)
{
- ngx_uint_t s;
+ ngx_uint_t a, p, s;
+ ngx_http_conf_addr_t *addr;
+ ngx_http_conf_port_t *port;
ngx_http_ssl_srv_conf_t *sscf;
ngx_http_core_loc_conf_t *clcf;
- ngx_http_core_srv_conf_t **cscfp;
+ ngx_http_core_srv_conf_t **cscfp, *cscf;
ngx_http_core_main_conf_t *cmcf;
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
@@ -993,5 +995,32 @@
}
}
+ if (cmcf->ports == NULL) {
+ return NGX_OK;
+ }
+
+ port = cmcf->ports->elts;
+ for (p = 0; p < cmcf->ports->nelts; p++) {
+
+ addr = port[p].addrs.elts;
+ for (a = 0; a < port[p].addrs.nelts; a++) {
+
+ if (!addr[a].opt.ssl) {
+ continue;
+ }
+
+ cscf = addr[a].default_server;
+ sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
+
+ if (sscf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"listen ... ssl\" directive in %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+ }
+ }
+
return NGX_OK;
}
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 6b318dd..2d8fdb8 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3256,6 +3256,9 @@
cscf->merge_slashes = NGX_CONF_UNSET;
cscf->underscores_in_headers = NGX_CONF_UNSET;
+ cscf->file_name = cf->conf_file->file.name.data;
+ cscf->line = cf->conf_file->line;
+
return cscf;
}
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index d798504..4c6da7c 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -184,6 +184,9 @@
/* server ctx */
ngx_http_conf_ctx_t *ctx;
+ u_char *file_name;
+ ngx_uint_t line;
+
ngx_str_t server_name;
size_t connection_pool_size;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 2db7a62..47c62d9 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -336,19 +336,8 @@
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
if (sscf->enable || hc->addr_conf->ssl) {
-
- c->log->action = "SSL handshaking";
-
- if (hc->addr_conf->ssl && sscf->ssl.ctx == NULL) {
- ngx_log_error(NGX_LOG_ERR, c->log, 0,
- "no \"ssl_certificate\" is defined "
- "in server listening on SSL port");
- ngx_http_close_connection(c);
- return;
- }
-
hc->ssl = 1;
-
+ c->log->action = "SSL handshaking";
rev->handler = ngx_http_ssl_handshake;
}
}
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index 276b8ee..dd4e980 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -474,7 +474,16 @@
if (ngx_strcmp(value[i].data, "ssl") == 0) {
#if (NGX_MAIL_SSL)
+ ngx_mail_ssl_conf_t *sslcf;
+
+ sslcf = ngx_mail_conf_get_module_srv_conf(cf, ngx_mail_ssl_module);
+
+ sslcf->listen = 1;
+ sslcf->file = cf->conf_file->file.name.data;
+ sslcf->line = cf->conf_file->line;
+
ls->ssl = 1;
+
continue;
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index bc3e6b9..803a247 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -165,29 +165,13 @@
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
- if (sslcf->enable) {
+ if (sslcf->enable || addr_conf->ssl) {
c->log->action = "SSL handshaking";
ngx_mail_ssl_init_connection(&sslcf->ssl, c);
return;
}
- if (addr_conf->ssl) {
-
- c->log->action = "SSL handshaking";
-
- if (sslcf->ssl.ctx == NULL) {
- ngx_log_error(NGX_LOG_ERR, c->log, 0,
- "no \"ssl_certificate\" is defined "
- "in server listening on SSL port");
- ngx_mail_close_connection(c);
- return;
- }
-
- ngx_mail_ssl_init_connection(&sslcf->ssl, c);
- return;
- }
-
}
#endif
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 7cfd3b9..51810e4 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -238,6 +238,7 @@
/*
* set by ngx_pcalloc():
*
+ * scf->listen = 0;
* scf->protocols = 0;
* scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL };
@@ -313,14 +314,17 @@
conf->ssl.log = cf->log;
- if (conf->enable) {
+ if (conf->listen) {
+ mode = "listen ... ssl";
+
+ } else if (conf->enable) {
mode = "ssl";
} else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
mode = "starttls";
} else {
- mode = "";
+ return NGX_CONF_OK;
}
if (conf->file == NULL) {
@@ -328,51 +332,31 @@
conf->line = prev->line;
}
- if (*mode) {
+ if (conf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"%s\" directive in %s:%ui",
+ mode, conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
- if (conf->certificates == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate\" is defined for "
- "the \"%s\" directive in %s:%ui",
- mode, conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
+ if (conf->certificate_keys == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"%s\" directive in %s:%ui",
+ mode, conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
- if (conf->certificate_keys == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined for "
- "the \"%s\" directive in %s:%ui",
- mode, conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
-
- if (conf->certificate_keys->nelts < conf->certificates->nelts) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\" and "
- "the \"%s\" directive in %s:%ui",
- ((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1,
- mode, conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
-
- } else {
-
- if (conf->certificates == NULL) {
- return NGX_CONF_OK;
- }
-
- if (conf->certificate_keys == NULL
- || conf->certificate_keys->nelts < conf->certificates->nelts)
- {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\"",
- ((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1);
- return NGX_CONF_ERROR;
- }
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\" and "
+ "the \"%s\" directive in %s:%ui",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1,
+ mode, conf->file, conf->line);
+ return NGX_CONF_ERROR;
}
if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
@@ -494,8 +478,10 @@
return NGX_CONF_ERROR;
}
- scf->file = cf->conf_file->file.name.data;
- scf->line = cf->conf_file->line;
+ if (!scf->listen) {
+ scf->file = cf->conf_file->file.name.data;
+ scf->line = cf->conf_file->line;
+ }
return NGX_CONF_OK;
}
@@ -520,8 +506,10 @@
return NGX_CONF_ERROR;
}
- scf->file = cf->conf_file->file.name.data;
- scf->line = cf->conf_file->line;
+ if (!scf->listen) {
+ scf->file = cf->conf_file->file.name.data;
+ scf->line = cf->conf_file->line;
+ }
return NGX_CONF_OK;
}
diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h
index 26628d5..d6b0b8e 100644
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -26,6 +26,7 @@
ngx_ssl_t ssl;
ngx_uint_t starttls;
+ ngx_uint_t listen;
ngx_uint_t protocols;
ngx_uint_t verify;
diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c
index 272708d..96e7c9a 100644
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@@ -734,7 +734,17 @@
if (ngx_strcmp(value[i].data, "ssl") == 0) {
#if (NGX_STREAM_SSL)
+ ngx_stream_ssl_conf_t *sslcf;
+
+ sslcf = ngx_stream_conf_get_module_srv_conf(cf,
+ ngx_stream_ssl_module);
+
+ sslcf->listen = 1;
+ sslcf->file = cf->conf_file->file.name.data;
+ sslcf->line = cf->conf_file->line;
+
ls->ssl = 1;
+
continue;
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 3e5a1f2..dcc33e1 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -304,13 +304,6 @@
if (c->ssl == NULL) {
c->log->action = "SSL handshaking";
- if (sslcf->ssl.ctx == NULL) {
- ngx_log_error(NGX_LOG_ERR, c->log, 0,
- "no \"ssl_certificate\" is defined "
- "in server listening on SSL port");
- return NGX_ERROR;
- }
-
rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c);
if (rv != NGX_OK) {
@@ -510,6 +503,7 @@
/*
* set by ngx_pcalloc():
*
+ * scf->listen = 0;
* scf->protocols = 0;
* scf->dhparam = { 0, NULL };
* scf->ecdh_curve = { 0, NULL };
@@ -582,18 +576,34 @@
conf->ssl.log = cf->log;
- if (conf->certificates == NULL) {
+ if (!conf->listen) {
return NGX_CONF_OK;
}
- if (conf->certificate_keys == NULL
- || conf->certificate_keys->nelts < conf->certificates->nelts)
- {
+ if (conf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"listen ... ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_keys == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"listen ... ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\"",
+ "for certificate \"%V\" and "
+ "the \"listen ... ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1);
+ + conf->certificates->nelts - 1,
+ conf->file, conf->line);
return NGX_CONF_ERROR;
}
diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h
index 65f5d45..9f8f01c 100644
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@@ -21,6 +21,7 @@
ngx_ssl_t ssl;
+ ngx_uint_t listen;
ngx_uint_t protocols;
ngx_uint_t verify;
@@ -47,6 +48,9 @@
ngx_flag_t session_tickets;
ngx_array_t *session_ticket_keys;
+
+ u_char *file;
+ ngx_uint_t line;
} ngx_stream_ssl_conf_t;
