*) listen ssl
*) no default ssl_cetificate and ssl_cetificate_key
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 53e2a21..48d40e5 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -13,8 +13,6 @@
ngx_pool_t *pool, ngx_str_t *s);
-#define NGX_DEFAULT_CERTIFICATE "cert.pem"
-#define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
@@ -28,6 +26,8 @@
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
void *parent, void *child);
+static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
@@ -61,7 +61,7 @@
{ ngx_string("ssl"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
- ngx_conf_set_flag_slot,
+ ngx_http_ssl_enable,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, enable),
NULL },
@@ -339,10 +339,6 @@
ngx_conf_merge_value(conf->enable, prev->enable, 0);
- if (conf->enable == 0) {
- return NGX_CONF_OK;
- }
-
ngx_conf_merge_value(conf->session_timeout,
prev->session_timeout, 300);
@@ -356,11 +352,8 @@
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
- ngx_conf_merge_str_value(conf->certificate, prev->certificate,
- NGX_DEFAULT_CERTIFICATE);
-
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
- NGX_DEFAULT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
+ ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -372,6 +365,38 @@
conf->ssl.log = cf->log;
+ if (conf->enable) {
+
+ if (conf->certificate.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ } else {
+
+ if (conf->certificate.len == 0) {
+ return NGX_CONF_OK;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\"", &conf->certificate);
+ return NGX_CONF_ERROR;
+ }
+ }
+
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -467,6 +492,26 @@
static char *
+ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_http_ssl_srv_conf_t *sscf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ sscf->file = cf->conf_file->file.name.data;
+ sscf->line = cf->conf_file->line;
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_http_ssl_srv_conf_t *sscf = conf;
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index 2322d90..da7f047 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -37,6 +37,9 @@
ngx_str_t ciphers;
ngx_shm_zone_t *shm_zone;
+
+ u_char *file;
+ ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;
diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c
index 7b109ca..d476b5f 100644
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -1158,6 +1158,9 @@
in_addr[a].core_srv_conf = cscfp[s];
in_addr[a].default_server = 1;
+#if (NGX_HTTP_SSL)
+ in_addr[a].ssl = listen[l].conf.ssl;
+#endif
in_addr[a].listen_conf = &listen[l].conf;
}
@@ -1242,6 +1245,9 @@
in_addr->core_srv_conf = cscf;
in_addr->default_server = listen->conf.default_server;
in_addr->bind = listen->conf.bind;
+#if (NGX_HTTP_SSL)
+ in_addr->ssl = listen->conf.ssl;
+#endif
in_addr->listen_conf = &listen->conf;
return ngx_http_add_names(cf, cscf, in_addr);
@@ -1648,6 +1654,10 @@
hip->addrs[i].addr = in_addr[i].addr;
hip->addrs[i].core_srv_conf = in_addr[i].core_srv_conf;
+#if (NGX_HTTP_SSL)
+ hip->addrs[i].ssl = in_addr[i].ssl;
+#endif
+
if (in_addr[i].hash.buckets == NULL
&& (in_addr[i].wc_head == NULL
|| in_addr[i].wc_head->hash.buckets == NULL)
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index c0c9e74..dbdde6b 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3081,6 +3081,18 @@
continue;
}
+ if (ngx_strcmp(value[n].data, "ssl") == 0) {
+#if (NGX_HTTP_SSL)
+ ls->conf.ssl = 1;
+ continue;
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "the \"ssl\" parameter requires "
+ "ngx_http_ssl_module");
+ return NGX_CONF_ERROR;
+#endif
+ }
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"the invalid \"%V\" parameter", &value[n]);
return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index c1ae27d..54e4493 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -35,6 +35,9 @@
typedef struct {
unsigned default_server:1;
unsigned bind:1;
+#if (NGX_HTTP_SSL)
+ unsigned ssl:1;
+#endif
int backlog;
int rcvbuf;
@@ -167,6 +170,10 @@
ngx_http_core_srv_conf_t *core_srv_conf;
ngx_http_virtual_names_t *virtual_names;
+
+#if (NGX_HTTP_SSL)
+ ngx_uint_t ssl; /* unsigned ssl:1; */
+#endif
} ngx_http_in_addr_t;
@@ -203,6 +210,9 @@
unsigned default_server:1;
unsigned bind:1;
+#if (NGX_HTTP_SSL)
+ unsigned ssl:1;
+#endif
ngx_http_listen_conf_t *listen_conf;
} ngx_http_conf_in_addr_t;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 94f786e..113c5e8 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -357,9 +357,20 @@
ngx_http_ssl_srv_conf_t *sscf;
sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
- if (sscf->enable) {
+ if (sscf->enable || hia[i].ssl) {
if (c->ssl == NULL) {
+
+ c->log->action = "SSL handshaking";
+
+ if (hia[i].ssl && sscf->ssl.ctx == NULL) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "no \"ssl_certificate\" is defined "
+ "in server listening on SSL port");
+ ngx_http_close_connection(c);
+ return;
+ }
+
if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
== NGX_ERROR)
{
@@ -529,6 +540,8 @@
}
}
+ c->log->action = "reading client request line";
+
rev->handler = ngx_http_process_request_line;
ngx_http_process_request_line(rev);
}
diff --git a/src/mail/ngx_mail.c b/src/mail/ngx_mail.c
index 73668a5..aa77364 100644
--- a/src/mail/ngx_mail.c
+++ b/src/mail/ngx_mail.c
@@ -261,6 +261,9 @@
in_addr->addr = imls[l].addr;
in_addr->ctx = imls[l].ctx;
in_addr->bind = imls[l].bind;
+#if (NGX_MAIL_SSL)
+ in_addr->ssl = imls[l].ssl;
+#endif
}
/* optimize the lists of ports and addresses */
@@ -370,6 +373,10 @@
imip->addrs[i].addr_text.len = len;
imip->addrs[i].addr_text.data = text;
+
+#if (NGX_MAIL_SSL)
+ imip->addrs[i].ssl = in_addr[i].ssl;
+#endif
}
if (done) {
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index 1efff5b..03297e2 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -34,6 +34,9 @@
ngx_mail_conf_ctx_t *ctx;
unsigned bind:1;
+#if (NGX_MAIL_SSL)
+ unsigned ssl:1;
+#endif
} ngx_mail_listen_t;
@@ -41,6 +44,9 @@
in_addr_t addr;
ngx_mail_conf_ctx_t *ctx;
ngx_str_t addr_text;
+#if (NGX_MAIL_SSL)
+ ngx_uint_t ssl; /* unsigned ssl:1; */
+#endif
} ngx_mail_in_addr_t;
@@ -60,6 +66,9 @@
in_addr_t addr;
ngx_mail_conf_ctx_t *ctx;
unsigned bind:1;
+#if (NGX_MAIL_SSL)
+ unsigned ssl:1;
+#endif
} ngx_mail_conf_in_addr_t;
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index 07e3ab6..10e6c8b 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -351,18 +351,31 @@
}
}
- if (cf->args->nelts == 2) {
- return NGX_CONF_OK;
+ for (i = 2; i < cf->args->nelts; i++) {
+
+ if (ngx_strcmp(value[i].data, "bind") == 0) {
+ imls->bind = 1;
+ continue;
+ }
+
+ if (ngx_strcmp(value[i].data, "ssl") == 0) {
+#if (NGX_MAIL_SSL)
+ imls->ssl = 1;
+ continue;
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "the \"ssl\" parameter requires "
+ "ngx_mail_ssl_module");
+ return NGX_CONF_ERROR;
+#endif
+ }
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "the invalid \"%V\" parameter", &value[i]);
+ return NGX_CONF_ERROR;
}
- if (ngx_strcmp(value[2].data, "bind") == 0) {
- imls->bind = 1;
- return NGX_CONF_OK;
- }
-
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "the invalid \"%V\" parameter", &value[2]);
- return NGX_CONF_ERROR;
+ return NGX_CONF_OK;
}
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index 4cc5e3e..6915dc9 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -118,9 +118,28 @@
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (sslcf->enable) {
+ c->log->action = "SSL handshaking";
+
ngx_mail_ssl_init_connection(&sslcf->ssl, c);
return;
}
+
+ if (imia[i].ssl) {
+
+ c->log->action = "SSL handshaking";
+
+ if (sslcf->ssl.ctx == NULL) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "no \"ssl_certificate\" is defined "
+ "in server listening on SSL port");
+ ngx_mail_close_connection(c);
+ return;
+ }
+
+ ngx_mail_ssl_init_connection(&sslcf->ssl, c);
+ return;
+ }
+
}
#endif
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 11a0d1d..dbefb14 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -9,13 +9,16 @@
#include <ngx_mail.h>
-#define NGX_DEFAULT_CERTIFICATE "cert.pem"
-#define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
+
+static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
+static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
@@ -50,14 +53,14 @@
{ ngx_string("ssl"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
- ngx_conf_set_flag_slot,
+ ngx_mail_ssl_enable,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, enable),
NULL },
{ ngx_string("starttls"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_enum_slot,
+ ngx_mail_ssl_starttls,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, starttls),
ngx_http_starttls_state },
@@ -194,14 +197,12 @@
ngx_mail_ssl_conf_t *prev = parent;
ngx_mail_ssl_conf_t *conf = child;
+ char *mode;
ngx_pool_cleanup_t *cln;
ngx_conf_merge_value(conf->enable, prev->enable, 0);
- ngx_conf_merge_value(conf->starttls, prev->starttls, NGX_MAIL_STARTTLS_OFF);
-
- if (conf->enable == 0 && conf->starttls == NGX_MAIL_STARTTLS_OFF) {
- return NGX_CONF_OK;
- }
+ ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
+ NGX_MAIL_STARTTLS_OFF);
ngx_conf_merge_value(conf->session_timeout,
prev->session_timeout, 300);
@@ -213,11 +214,8 @@
(NGX_CONF_BITMASK_SET
|NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
- ngx_conf_merge_str_value(conf->certificate, prev->certificate,
- NGX_DEFAULT_CERTIFICATE);
-
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
- NGX_DEFAULT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
+ ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -226,6 +224,49 @@
conf->ssl.log = cf->log;
+ if (conf->enable) {
+ mode = "ssl";
+
+ } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
+ mode = "starttls";
+
+ } else {
+ mode = "";
+ }
+
+ if (*mode) {
+
+ if (conf->certificate.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"%s\" directive in %s:%ui",
+ mode, conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"%s\" directive in %s:%ui",
+ mode, conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ } else {
+
+ if (conf->certificate.len == 0) {
+ return NGX_CONF_OK;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\"",
+ &conf->certificate);
+ return NGX_CONF_ERROR;
+ }
+ }
+
if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -292,6 +333,58 @@
static char *
+ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_mail_ssl_conf_t *scf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
+ ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+ "\"starttls\" directive conflicts with \"ssl on\"");
+ return NGX_CONF_ERROR;
+ }
+
+ scf->file = cf->conf_file->file.name.data;
+ scf->line = cf->conf_file->line;
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
+ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_mail_ssl_conf_t *scf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_enum_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
+ ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+ "\"ssl\" directive conflicts with \"starttls\"");
+ return NGX_CONF_ERROR;
+ }
+
+ scf->file = cf->conf_file->file.name.data;
+ scf->line = cf->conf_file->line;
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_mail_ssl_conf_t *scf = conf;
diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h
index b8d2bdf..b27da41 100644
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -20,12 +20,11 @@
typedef struct {
ngx_flag_t enable;
+ ngx_flag_t prefer_server_ciphers;
ngx_ssl_t ssl;
- ngx_flag_t prefer_server_ciphers;
- ngx_flag_t starttls;
-
+ ngx_uint_t starttls;
ngx_uint_t protocols;
ssize_t builtin_session_cache;
@@ -39,6 +38,9 @@
ngx_str_t ciphers;
ngx_shm_zone_t *shm_zone;
+
+ u_char *file;
+ ngx_uint_t line;
} ngx_mail_ssl_conf_t;
