nginx.git/src/stream/ngx_stream_ssl_module.h, branch release-1.28.1 nginx SSL: caching certificates and certificate keys with variables. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-29T12:25:11+00:00 0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]" enables caching of SSL certificate chain and secret key objects specified by "ssl_certificate" and "ssl_certificate_key" directives with variables. Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com> 
A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>
Stream: OCSP stapling. 2024-08-22T10:57:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-08-22T10:57:46+00:00 fb89d50eeb19d42d83144ff76c80d20e80c41aca 






Stream: client certificate validation with OCSP.
2024-08-22T10:57:45+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-22T10:57:45+00:00

581cf22673fc63e206693294161ea32e691a432f












Stream: using ngx_stream_ssl_srv_conf_t *sscf naming convention.
2024-03-22T10:18:51+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:18:51+00:00

e4a062b18699c18f570c736e7cbb4245b0659bb6

Originally, the stream module was developed based on the mail module,
following the existing style.  Then it was diverged to closely follow
the http module development.  This change updates style to use sscf
naming convention troughout the stream module, which matches the http
module code style.  No functional changes.





Originally, the stream module was developed based on the mail module,
following the existing style.  Then it was diverged to closely follow
the http module development.  This change updates style to use sscf
naming convention troughout the stream module, which matches the http
module code style.  No functional changes.







Stream: virtual servers.
2023-12-14T17:58:39+00:00

Roman Arutyunyan
arut@nginx.com

2023-12-14T17:58:39+00:00

d21675228a0ba8d4331e05c60660228a5d3326de

Server name is taken either from ngx_stream_ssl_module or
ngx_stream_ssl_preread_module.

The change adds "default_server" parameter to the "listen" directive,
as well as the following directives: "server_names_hash_max_size",
"server_names_hash_bucket_size", "server_name" and "ssl_reject_handshake".





Server name is taken either from ngx_stream_ssl_module or
ngx_stream_ssl_preread_module.

The change adds "default_server" parameter to the "listen" directive,
as well as the following directives: "server_names_hash_max_size",
"server_names_hash_bucket_size", "server_name" and "ssl_reject_handshake".







Stream: the "ssl_alpn" directive.
2021-10-19T09:19:59+00:00

Vladimir Homutov
vl@nginx.com

2021-10-19T09:19:59+00:00

df472eecc043700275ecae2655206163c786f758

The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.





The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.







SSL: ssl_conf_command directive.
2020-10-22T15:00:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-10-22T15:00:22+00:00

ac9c1622822260f81edcf582887a5f0271c2c4c6

With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.





With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.







SSL: dynamic certificate loading in the stream module.
2019-02-25T13:42:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:43+00:00

fbcb0c8a33c7168aad3b1474d4cd8cde3486e155












SSL: detect "listen ... ssl" without certificates (ticket #178).
2018-04-24T12:29:01+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-04-24T12:29:01+00:00

76be1ea9de13c5e8bb0d9523c6a2ad4009a5d7cf

In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.





In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.







Stream: client SSL certificates verification support.
2016-12-20T09:05:14+00:00

Vladimir Homutov
vl@nginx.com

2016-12-20T09:05:14+00:00

7fab8d046ee170031ad61d4131403e3d5540e98e

New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.





New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.