diff options
| author | Piotr Sikora <piotr@cloudflare.com> | 2013-10-11 16:05:24 -0700 |
|---|---|---|
| committer | Piotr Sikora <piotr@cloudflare.com> | 2013-10-11 16:05:24 -0700 |
| commit | 79be6a5462498af8655aaed141f13a1d2a34abc8 (patch) | |
| tree | 52b4c69bed7f44caba6b83c6282f8a85230b3e87 /src/mail | |
| parent | a8ad0c02cc19f9684a357aace70a5fbbf9106fc1 (diff) | |
| download | nginx-79be6a5462498af8655aaed141f13a1d2a34abc8.tar.gz nginx-79be6a5462498af8655aaed141f13a1d2a34abc8.tar.bz2 | |
SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Diffstat (limited to 'src/mail')
| -rw-r--r-- | src/mail/ngx_mail_ssl_module.c | 17 | ||||
| -rw-r--r-- | src/mail/ngx_mail_ssl_module.h | 2 |
2 files changed, 19 insertions, 0 deletions
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c index 18fd66aed..94c015700 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -116,6 +116,13 @@ static ngx_command_t ngx_mail_ssl_commands[] = { 0, NULL }, + { ngx_string("ssl_session_ticket_key"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_array_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), + NULL }, + { ngx_string("ssl_session_timeout"), NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_sec_slot, @@ -184,6 +191,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) scf->prefer_server_ciphers = NGX_CONF_UNSET; scf->builtin_session_cache = NGX_CONF_UNSET; scf->session_timeout = NGX_CONF_UNSET; + scf->session_ticket_keys = NGX_CONF_UNSET_PTR; return scf; } @@ -331,6 +339,15 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } + ngx_conf_merge_ptr_value(conf->session_ticket_keys, + prev->session_ticket_keys, NULL); + + if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h index 7f59b38ae..54e057721 100644 --- a/src/mail/ngx_mail_ssl_module.h +++ b/src/mail/ngx_mail_ssl_module.h @@ -41,6 +41,8 @@ typedef struct { ngx_shm_zone_t *shm_zone; + ngx_array_t *session_ticket_keys; + u_char *file; ngx_uint_t line; } ngx_mail_ssl_conf_t; |