Klaus Demo nginx / df83e6f
DH parameters, ssl_dhparam Igor Sysoev 14 years ago
6 changed file(s) with 120 addition(s) and 10 deletion(s). Raw diff Collapse all Expand all
181181 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
182182 #endif
183183
184 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
184185
185186 if (ngx_ssl_protocols[protocols >> 1] != 0) {
186187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
347348 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed");
348349
349350 return NGX_ERROR;
351 }
352
353
354 ngx_int_t
355 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
356 {
357 DH *dh;
358 BIO *bio;
359
360 /*
361 * -----BEGIN DH PARAMETERS-----
362 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
363 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
364 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
365 * -----END DH PARAMETERS-----
366 */
367
368 static unsigned char dh1024_p[] = {
369 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
370 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
371 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
372 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
373 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
374 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
375 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
376 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
377 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
378 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
379 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
380 };
381
382 static unsigned char dh1024_g[] = { 0x02 };
383
384
385 if (file->len == 0) {
386
387 dh = DH_new();
388 if (dh == NULL) {
389 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
390 return NGX_ERROR;
391 }
392
393 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
394 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
395
396 if (dh->p == NULL || dh->g == NULL) {
397 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
398 DH_free(dh);
399 return NGX_ERROR;
400 }
401
402 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
403
404 DH_free(dh);
405
406 return NGX_OK;
407 }
408
409 if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
410 return NGX_ERROR;
411 }
412
413 bio = BIO_new_file((char *) file->data, "r");
414 if (bio == NULL) {
415 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
416 "BIO_new_file(\"%s\") failed", file->data);
417 return NGX_ERROR;
418 }
419
420 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
421 if (dh == NULL) {
422 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
423 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
424 BIO_free(bio);
425 return NGX_ERROR;
426 }
427
428 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
429
430 DH_free(dh);
431 BIO_free(bio);
432
433 return NGX_OK;
350434 }
351435
352436
100100 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
101101 ngx_str_t *cert, ngx_int_t depth);
102102 ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
103 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
103104 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
104105 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
105106 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
6969 ngx_conf_set_str_slot,
7070 NGX_HTTP_SRV_CONF_OFFSET,
7171 offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
72 NULL },
73
74 { ngx_string("ssl_dhparam"),
75 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
76 ngx_conf_set_str_slot,
77 NGX_HTTP_SRV_CONF_OFFSET,
78 offsetof(ngx_http_ssl_srv_conf_t, dhparam),
7279 NULL },
7380
7481 { ngx_string("ssl_protocols"),
286293 * set by ngx_pcalloc():
287294 *
288295 * sscf->protocols = 0;
289 * sscf->certificate.len = 0;
290 * sscf->certificate.data = NULL;
291 * sscf->certificate_key.len = 0;
292 * sscf->certificate_key.data = NULL;
293 * sscf->client_certificate.len = 0;
294 * sscf->client_certificate.data = NULL;
296 * sscf->certificate = { 0, NULL };
297 * sscf->certificate_key = { 0, NULL };
298 * sscf->dhparam = { 0, NULL };
299 * sscf->client_certificate = { 0, NULL };
295300 * sscf->ciphers.len = 0;
296301 * sscf->ciphers.data = NULL;
297302 * sscf->shm_zone = NULL;
340345
341346 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
342347 NGX_DEFLAUT_CERTIFICATE_KEY);
348
349 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
343350
344351 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
345352 "");
413420 return NGX_CONF_ERROR;
414421 }
415422
423 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
424 return NGX_CONF_ERROR;
425 }
426
416427 ngx_conf_merge_value(conf->builtin_session_cache,
417428 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
418429
3030
3131 ngx_str_t certificate;
3232 ngx_str_t certificate_key;
33 ngx_str_t dhparam;
3334 ngx_str_t client_certificate;
3435
3536 ngx_str_t ciphers;
7373 ngx_conf_set_str_slot,
7474 NGX_MAIL_SRV_CONF_OFFSET,
7575 offsetof(ngx_mail_ssl_conf_t, certificate_key),
76 NULL },
77
78 { ngx_string("ssl_dhparam"),
79 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
80 ngx_conf_set_str_slot,
81 NGX_MAIL_SRV_CONF_OFFSET,
82 offsetof(ngx_mail_ssl_conf_t, dhparam),
7683 NULL },
7784
7885 { ngx_string("ssl_protocols"),
162169 * set by ngx_pcalloc():
163170 *
164171 * scf->protocols = 0;
165 * scf->certificate.len = 0;
166 * scf->certificate.data = NULL;
167 * scf->certificate_key.len = 0;
168 * scf->certificate_key.data = NULL;
172 * scf->certificate = { 0, NULL };
173 * scf->certificate_key = { 0, NULL };
174 * scf->dhparam = { 0, NULL };
169175 * scf->ciphers.len = 0;
170176 * scf->ciphers.data = NULL;
171177 * scf->shm_zone = NULL;
211217
212218 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
213219 NGX_DEFLAUT_CERTIFICATE_KEY);
220
221 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
214222
215223 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
216224
259267 return NGX_CONF_ERROR;
260268 }
261269
270 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
271 return NGX_CONF_ERROR;
272 }
273
262274 ngx_conf_merge_value(conf->builtin_session_cache,
263275 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
264276
3333
3434 ngx_str_t certificate;
3535 ngx_str_t certificate_key;
36 ngx_str_t dhparam;
3637
3738 ngx_str_t ciphers;
3839