nginx-0.3.3-RELEASE import
*) Change: the "bl" and "af" parameters of the "listen" directive was
renamed to the "backlog" and "accept_filter".
*) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
directive.
*) Change: the "$msec" log parameter does not require now the
additional the gettimeofday() system call.
*) Feature: the -t switch now tests the "listen" directives.
*) Bugfix: if the invalid address was specified in the "listen"
directive, then after the -HUP signal nginx left an open socket in
the CLOSED state.
*) Bugfix: the mime type may be incorrectly set to default value for
index file with variable in the name; the bug had appeared in 0.3.0.
*) Feature: the "timer_resolution" directive.
*) Feature: the millisecond "$upstream_response_time" log parameter.
*) Bugfix: a temporary file with client request body now is removed
just after the response header was transferred to a client.
*) Bugfix: OpenSSL 0.9.6 compatibility.
*) Bugfix: the SSL certificate and key file paths could not be relative.
*) Bugfix: the "ssl_prefer_server_ciphers" directive did not work in
the ngx_imap_ssl_module.
*) Bugfix: the "ssl_protocols" directive allowed to specify the single
protocol only.
diff --git a/src/imap/ngx_imap_ssl_module.c b/src/imap/ngx_imap_ssl_module.c
index be6fca9..d663e88 100644
--- a/src/imap/ngx_imap_ssl_module.c
+++ b/src/imap/ngx_imap_ssl_module.c
@@ -17,6 +17,15 @@
static void *ngx_imap_ssl_create_conf(ngx_conf_t *cf);
static char *ngx_imap_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
+#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
+
+static char *ngx_imap_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
+
+static char ngx_imap_ssl_openssl097[] = "OpenSSL 0.9.7 and higher";
+
+#endif
+
static ngx_conf_bitmask_t ngx_imap_ssl_protocols[] = {
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
@@ -50,7 +59,7 @@
NULL },
{ ngx_string("ssl_protocols"),
- NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_TAKE1,
+ NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
NGX_IMAP_SRV_CONF_OFFSET,
offsetof(ngx_imap_ssl_conf_t, protocols),
@@ -65,10 +74,15 @@
{ ngx_string("ssl_prefer_server_ciphers"),
NGX_IMAP_MAIN_CONF|NGX_IMAP_SRV_CONF|NGX_CONF_FLAG,
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
ngx_conf_set_flag_slot,
NGX_IMAP_SRV_CONF_OFFSET,
offsetof(ngx_imap_ssl_conf_t, prefer_server_ciphers),
NULL },
+#else
+ ngx_imap_ssl_nosupported, 0, 0, ngx_imap_ssl_openssl097 },
+#endif
+
ngx_null_command
};
@@ -138,6 +152,8 @@
ngx_imap_ssl_conf_t *prev = parent;
ngx_imap_ssl_conf_t *conf = child;
+ ngx_pool_cleanup_t *cln;
+
ngx_conf_merge_value(conf->enable, prev->enable, 0);
if (conf->enable == 0) {
@@ -166,20 +182,25 @@
return NGX_CONF_ERROR;
}
- if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL)
- {
+ cln = ngx_pool_cleanup_add(cf->pool, 0);
+ if (cln == NULL) {
return NGX_CONF_ERROR;
}
- if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data,
- conf->certificate_key.data) != NGX_OK)
+ cln->handler = ngx_ssl_cleanup_ctx;
+ cln->data = &conf->ssl;
+
+ if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
+ &conf->certificate_key)
+ != NGX_OK)
{
return NGX_CONF_ERROR;
}
if (conf->ciphers.len) {
if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
- (const char *) conf->ciphers.data) == 0)
+ (const char *) conf->ciphers.data)
+ == 0)
{
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
"SSL_CTX_set_cipher_list(\"%V\") failed",
@@ -187,6 +208,14 @@
}
}
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+
+ if (conf->prefer_server_ciphers) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+
+#endif
+
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -198,3 +227,18 @@
return NGX_CONF_OK;
}
+
+
+#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
+
+static char *
+ngx_imap_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "\"%V\" directive is available only in %s,",
+ &cmd->name, cmd->post);
+
+ return NGX_CONF_ERROR;
+}
+
+#endif
