# HG changeset patch # User Nate Karstens <[email protected]> # Date 1496332504 18000 # Thu Jun 01 10:55:04 2017 -0500 # Node ID a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 PSK: make server certificates optional
Adds the directive "ssl_nocert" to the ngx_http_ssl_module to allow the user to indicate that the absence of a certificate is intentional. Any cipher suites that rely on certificates will not function properly. Servers that only use PSK will error out without this change. Signed-off-by: Nate Karstens <[email protected]> diff -r 716852cce913 -r a38066b79d71 contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim Thu Jun 01 15:44:23 2017 +0300 +++ b/contrib/vim/syntax/nginx.vim Thu Jun 01 10:55:04 2017 -0500 @@ -546,6 +546,7 @@ syn keyword ngxDirective contained ssl_ecdh_curve syn keyword ngxDirective contained ssl_engine syn keyword ngxDirective contained ssl_handshake_timeout +syn keyword ngxDirective contained ssl_nocert syn keyword ngxDirective contained ssl_password_file syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 15:44:23 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 10:55:04 2017 -0500 @@ -101,6 +101,13 @@ 0, NULL }, + { ngx_string("ssl_nocert"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, nocert), + NULL }, + { ngx_string("ssl_dhparam"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -546,6 +553,7 @@ sscf->buffer_size = NGX_CONF_UNSET_SIZE; sscf->verify = NGX_CONF_UNSET_UINT; sscf->verify_depth = NGX_CONF_UNSET_UINT; + sscf->nocert = NGX_CONF_UNSET; sscf->certificates = NGX_CONF_UNSET_PTR; sscf->certificate_keys = NGX_CONF_UNSET_PTR; sscf->passwords = NGX_CONF_UNSET_PTR; @@ -595,6 +603,7 @@ ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); + ngx_conf_merge_value(conf->nocert, prev->nocert, 0); ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, NULL); @@ -622,50 +631,52 @@ conf->ssl.log = cf->log; - if (conf->enable) { + if (!conf->nocert) { + if (conf->enable) { - if (conf->certificates == NULL) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate\" is defined for " - "the \"ssl\" directive in %s:%ui", - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificates == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate\" is defined for " + "the \"ssl\" directive in %s:%ui", + conf->file, conf->line); + return NGX_CONF_ERROR; + } - if (conf->certificate_keys == NULL) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined for " - "the \"ssl\" directive in %s:%ui", - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificate_keys == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined for " + "the \"ssl\" directive in %s:%ui", + conf->file, conf->line); + return NGX_CONF_ERROR; + } - if (conf->certificate_keys->nelts < conf->certificates->nelts) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined " - "for certificate \"%V\" and " - "the \"ssl\" directive in %s:%ui", - ((ngx_str_t *) conf->certificates->elts) - + conf->certificates->nelts - 1, - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificate_keys->nelts < conf->certificates->nelts) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined " + "for certificate \"%V\" and " + "the \"ssl\" directive in %s:%ui", + ((ngx_str_t *) conf->certificates->elts) + + conf->certificates->nelts - 1, + conf->file, conf->line); + return NGX_CONF_ERROR; + } - } else { + } else { - if (conf->certificates == NULL) { - return NGX_CONF_OK; - } + if (conf->certificates == NULL) { + return NGX_CONF_OK; + } - if (conf->certificate_keys == NULL - || conf->certificate_keys->nelts < conf->certificates->nelts) - { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined " - "for certificate \"%V\"", - ((ngx_str_t *) conf->certificates->elts) - + conf->certificates->nelts - 1); - return NGX_CONF_ERROR; + if (conf->certificate_keys == NULL + || conf->certificate_keys->nelts < conf->certificates->nelts) + { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined " + "for certificate \"%V\"", + ((ngx_str_t *) conf->certificates->elts) + + conf->certificates->nelts - 1); + return NGX_CONF_ERROR; + } } } @@ -704,11 +715,15 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; - if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, - conf->certificate_keys, conf->passwords) - != NGX_OK) - { - return NGX_CONF_ERROR; + if (conf->certificates && conf->certificate_keys) { + + if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, + conf->certificate_keys, conf->passwords) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + } if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 15:44:23 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 10:55:04 2017 -0500 @@ -32,6 +32,7 @@ time_t session_timeout; + ngx_flag_t nocert; ngx_array_t *certificates; ngx_array_t *certificate_keys; ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
