nginx.git/src/http/modules/ngx_http_ssl_module.c, branch release-1.14.2 nginx SSL: the $ssl_client_escaped_cert variable (ticket #857). 2017-08-22T12:18:10+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T12:18:10+00:00 50a0f25c60bcc0fb46efcab00985c200c08c2b2f This variable contains URL-encoded client SSL certificate. In contrast to $ssl_client_cert, it doesn't depend on deprecated header continuation. The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting variable can be safely used not only in headers, but also as a request argument. The $ssl_client_cert variable should be considered deprecated now. The $ssl_client_raw_cert variable will be eventually renambed back to $ssl_client_cert. 
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
Variables: macros for null variables. 2017-08-01T11:28:33+00:00 Ruslan Ermilov ru@nginx.com 2017-08-01T11:28:33+00:00 b992f7259ba4763178f9d394b320bcc5de88818b No functional changes. 
No functional changes.
SSL: added support for TLSv1.3 in ssl_protocols directive. 2017-04-18T12:12:38+00:00 Sergey Kandaurov pluknet@nginx.com 2017-04-18T12:12:38+00:00 9a37eb3a62130473596e0e4c2e388d80bdb14956 Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1. 
Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.
SSL: $ssl_curves (ticket #1088). 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 551091951a479e2f512062c51bdcc6157a211164 The variable contains a list of curves as supported by the client. Known curves are listed by their names, unknown ones are shown in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1". Note that OpenSSL uses session data for SSL_get1_curves(), and it doesn't store full list of curves supported by the client when serializing a session. As a result $ssl_curves is only available for new sessions (and will be empty for reused ones). The variable is only meaningful when using OpenSSL 1.0.2 and above. With older versions the variable is empty. 
The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.
SSL: $ssl_ciphers (ticket #870). 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 2daf78867bb60bee5e5ca517f20339211391635b The variable contains list of ciphers as supported by the client. Known ciphers are listed by their names, unknown ones are shown in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff". The variable is fully supported only when using OpenSSL 1.0.2 and above. With older version there is an attempt to provide some information using SSL_get_shared_ciphers(). It only lists known ciphers though. Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(), and it doesn't store relevant data when serializing a session. As a result $ssl_ciphers is only available for new sessions (and not available for reused ones) when using OpenSSL older than 1.0.2. 
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 53092ad782c4647c212ff3b23870f7927da9e293 






SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
2016-10-21T13:28:39+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-10-21T13:28:39+00:00

71c93a8e09b2dc911005e254f1b9c16a9ac49fad

Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.





Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.







SSL: ngx_ssl_ciphers() to set list of ciphers.
2016-06-15T20:05:30+00:00

Tim Taubert
tim@timtaubert.de

2016-06-15T20:05:30+00:00

4f578bfcab740fcfbbb8824822803ad9b3f176cc

This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.





This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.







SSL: support for multiple curves (ticket #885).
2016-05-19T11:46:32+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-05-19T11:46:32+00:00

3b7dca4bb5b0938addd48dd5261a0b61d849f8f3

OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.





OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.







SSL: support for multiple certificates (ticket #814).
2016-05-19T11:46:32+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-05-19T11:46:32+00:00

cf126b98b30847a453c6f62e0717867cb05098b0