nginxtra 1.8.1.12 → 1.10.1.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/nginxtra +1 -1
- data/bin/nginxtra_rails +1 -1
- data/lib/nginxtra/version.rb +1 -1
- data/vendor/nginx/CHANGES +363 -25
- data/vendor/nginx/CHANGES.ru +365 -21
- data/vendor/nginx/LICENSE +2 -2
- data/vendor/nginx/auto/cc/conf +32 -0
- data/vendor/nginx/auto/cc/gcc +1 -1
- data/vendor/nginx/auto/cc/icc +2 -2
- data/vendor/nginx/auto/cc/msvc +29 -8
- data/vendor/nginx/auto/cc/name +2 -25
- data/vendor/nginx/auto/cc/sunc +3 -0
- data/vendor/nginx/auto/endianness +7 -2
- data/vendor/nginx/auto/install +60 -26
- data/vendor/nginx/auto/lib/conf +4 -4
- data/vendor/nginx/auto/lib/geoip/conf +6 -1
- data/vendor/nginx/auto/lib/libgd/conf +6 -1
- data/vendor/nginx/auto/lib/libxslt/conf +11 -2
- data/vendor/nginx/auto/lib/make +1 -1
- data/vendor/nginx/auto/lib/md5/conf +2 -2
- data/vendor/nginx/auto/lib/md5/make +2 -2
- data/vendor/nginx/auto/lib/openssl/conf +52 -3
- data/vendor/nginx/auto/lib/openssl/make +1 -1
- data/vendor/nginx/auto/lib/pcre/conf +2 -2
- data/vendor/nginx/auto/lib/pcre/make +2 -2
- data/vendor/nginx/auto/lib/perl/conf +6 -3
- data/vendor/nginx/auto/lib/perl/make +4 -1
- data/vendor/nginx/auto/lib/sha1/conf +2 -2
- data/vendor/nginx/auto/lib/sha1/make +2 -2
- data/vendor/nginx/auto/lib/zlib/conf +2 -2
- data/vendor/nginx/auto/lib/zlib/make +2 -2
- data/vendor/nginx/auto/make +281 -16
- data/vendor/nginx/auto/module +122 -0
- data/vendor/nginx/auto/modules +909 -178
- data/vendor/nginx/auto/options +81 -19
- data/vendor/nginx/auto/os/conf +9 -0
- data/vendor/nginx/auto/os/darwin +3 -0
- data/vendor/nginx/auto/os/freebsd +0 -20
- data/vendor/nginx/auto/os/linux +0 -12
- data/vendor/nginx/auto/os/win32 +5 -1
- data/vendor/nginx/auto/sources +11 -311
- data/vendor/nginx/auto/summary +1 -0
- data/vendor/nginx/auto/types/sizeof +5 -3
- data/vendor/nginx/auto/types/typedef +9 -4
- data/vendor/nginx/auto/types/uintptr_t +7 -2
- data/vendor/nginx/auto/unix +72 -12
- data/vendor/nginx/conf/fastcgi.conf +1 -0
- data/vendor/nginx/conf/fastcgi_params +1 -0
- data/vendor/nginx/conf/scgi_params +1 -0
- data/vendor/nginx/conf/uwsgi_params +1 -0
- data/vendor/nginx/configure +1 -1
- data/vendor/nginx/contrib/vim/syntax/nginx.vim +2 -2
- data/vendor/nginx/man/nginx.8 +6 -2
- data/vendor/nginx/src/core/nginx.c +281 -114
- data/vendor/nginx/src/core/nginx.h +2 -2
- data/vendor/nginx/src/core/ngx_conf_file.c +54 -13
- data/vendor/nginx/src/core/ngx_conf_file.h +8 -52
- data/vendor/nginx/src/core/ngx_config.h +0 -5
- data/vendor/nginx/src/core/ngx_connection.c +270 -37
- data/vendor/nginx/src/core/ngx_connection.h +35 -12
- data/vendor/nginx/src/core/ngx_core.h +4 -0
- data/vendor/nginx/src/core/ngx_crypt.c +2 -2
- data/vendor/nginx/src/core/ngx_cycle.c +72 -25
- data/vendor/nginx/src/core/ngx_cycle.h +28 -39
- data/vendor/nginx/src/core/ngx_file.c +14 -5
- data/vendor/nginx/src/core/ngx_file.h +2 -0
- data/vendor/nginx/src/core/ngx_hash.c +13 -1
- data/vendor/nginx/src/core/ngx_inet.c +20 -18
- data/vendor/nginx/src/core/ngx_log.c +12 -12
- data/vendor/nginx/src/core/ngx_log.h +13 -6
- data/vendor/nginx/src/core/ngx_module.c +360 -0
- data/vendor/nginx/src/core/ngx_module.h +307 -0
- data/vendor/nginx/src/core/ngx_open_file_cache.c +2 -2
- data/vendor/nginx/src/core/ngx_output_chain.c +8 -4
- data/vendor/nginx/src/core/ngx_palloc.c +42 -44
- data/vendor/nginx/src/{http/ngx_http_parse_time.c → core/ngx_parse_time.c} +2 -3
- data/vendor/nginx/src/core/ngx_parse_time.h +22 -0
- data/vendor/nginx/src/core/ngx_proxy_protocol.c +50 -1
- data/vendor/nginx/src/core/ngx_proxy_protocol.h +3 -1
- data/vendor/nginx/src/core/ngx_regex.c +1 -38
- data/vendor/nginx/src/core/ngx_resolver.c +1814 -320
- data/vendor/nginx/src/core/ngx_resolver.h +67 -10
- data/vendor/nginx/src/core/ngx_rwlock.c +120 -0
- data/vendor/nginx/src/core/ngx_rwlock.h +21 -0
- data/vendor/nginx/src/core/ngx_slab.c +6 -5
- data/vendor/nginx/src/core/ngx_string.c +1 -1
- data/vendor/nginx/src/core/ngx_syslog.c +11 -3
- data/vendor/nginx/src/core/ngx_syslog.h +2 -1
- data/vendor/nginx/src/core/ngx_thread_pool.c +4 -0
- data/vendor/nginx/src/core/ngx_times.c +2 -2
- data/vendor/nginx/src/event/modules/ngx_devpoll_module.c +3 -1
- data/vendor/nginx/src/event/modules/ngx_epoll_module.c +5 -2
- data/vendor/nginx/src/event/modules/ngx_eventport_module.c +5 -5
- data/vendor/nginx/src/event/modules/ngx_kqueue_module.c +15 -8
- data/vendor/nginx/src/event/modules/ngx_poll_module.c +0 -10
- data/vendor/nginx/src/event/modules/ngx_select_module.c +0 -10
- data/vendor/nginx/src/event/ngx_event.c +60 -103
- data/vendor/nginx/src/event/ngx_event.h +22 -26
- data/vendor/nginx/src/event/ngx_event_accept.c +414 -88
- data/vendor/nginx/src/event/ngx_event_connect.c +27 -18
- data/vendor/nginx/src/event/ngx_event_connect.h +1 -0
- data/vendor/nginx/src/event/ngx_event_openssl.c +65 -25
- data/vendor/nginx/src/event/ngx_event_openssl.h +17 -0
- data/vendor/nginx/src/event/ngx_event_openssl_stapling.c +73 -7
- data/vendor/nginx/src/event/ngx_event_pipe.c +85 -27
- data/vendor/nginx/src/event/ngx_event_pipe.h +10 -0
- data/vendor/nginx/src/http/modules/ngx_http_auth_basic_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_auth_request_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_chunked_filter_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_dav_module.c +6 -6
- data/vendor/nginx/src/http/modules/ngx_http_fastcgi_module.c +17 -11
- data/vendor/nginx/src/http/modules/ngx_http_gzip_filter_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_headers_filter_module.c +9 -9
- data/vendor/nginx/src/http/modules/ngx_http_image_filter_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_limit_conn_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_limit_req_module.c +0 -7
- data/vendor/nginx/src/http/modules/ngx_http_map_module.c +6 -6
- data/vendor/nginx/src/http/modules/ngx_http_memcached_module.c +2 -1
- data/vendor/nginx/src/http/modules/ngx_http_mp4_module.c +13 -13
- data/vendor/nginx/src/http/modules/ngx_http_not_modified_filter_module.c +2 -2
- data/vendor/nginx/src/http/modules/ngx_http_proxy_module.c +26 -21
- data/vendor/nginx/src/http/modules/ngx_http_random_index_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_range_filter_module.c +26 -8
- data/vendor/nginx/src/http/modules/ngx_http_realip_module.c +73 -3
- data/vendor/nginx/src/http/modules/ngx_http_referer_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_rewrite_module.c +6 -6
- data/vendor/nginx/src/http/modules/ngx_http_scgi_module.c +5 -3
- data/vendor/nginx/src/http/modules/ngx_http_slice_filter_module.c +526 -0
- data/vendor/nginx/src/http/modules/ngx_http_ssi_filter_module.c +7 -7
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.c +19 -16
- data/vendor/nginx/src/http/modules/ngx_http_static_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_stub_status_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_sub_filter_module.c +373 -173
- data/vendor/nginx/src/http/modules/ngx_http_upstream_hash_module.c +72 -46
- data/vendor/nginx/src/http/modules/ngx_http_upstream_ip_hash_module.c +18 -30
- data/vendor/nginx/src/http/modules/ngx_http_upstream_keepalive_module.c +50 -39
- data/vendor/nginx/src/http/modules/ngx_http_upstream_least_conn_module.c +38 -129
- data/vendor/nginx/src/http/modules/ngx_http_upstream_zone_module.c +246 -0
- data/vendor/nginx/src/http/modules/ngx_http_uwsgi_module.c +6 -5
- data/vendor/nginx/src/http/modules/perl/nginx.xs +9 -9
- data/vendor/nginx/src/http/ngx_http.c +46 -43
- data/vendor/nginx/src/http/ngx_http.h +4 -9
- data/vendor/nginx/src/http/ngx_http_cache.h +4 -0
- data/vendor/nginx/src/http/ngx_http_copy_filter_module.c +13 -5
- data/vendor/nginx/src/http/ngx_http_core_module.c +92 -91
- data/vendor/nginx/src/http/ngx_http_core_module.h +12 -8
- data/vendor/nginx/src/http/ngx_http_file_cache.c +61 -10
- data/vendor/nginx/src/http/ngx_http_request.c +37 -50
- data/vendor/nginx/src/http/ngx_http_request.h +10 -15
- data/vendor/nginx/src/http/ngx_http_request_body.c +64 -88
- data/vendor/nginx/src/http/ngx_http_script.c +3 -3
- data/vendor/nginx/src/http/ngx_http_special_response.c +1 -4
- data/vendor/nginx/src/http/ngx_http_upstream.c +245 -109
- data/vendor/nginx/src/http/ngx_http_upstream.h +11 -5
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.c +212 -65
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.h +66 -5
- data/vendor/nginx/src/http/ngx_http_variables.c +28 -15
- data/vendor/nginx/src/http/ngx_http_write_filter_module.c +1 -1
- data/vendor/nginx/src/http/v2/ngx_http_v2.c +4349 -0
- data/vendor/nginx/src/http/v2/ngx_http_v2.h +337 -0
- data/vendor/nginx/src/http/v2/ngx_http_v2_filter_module.c +1391 -0
- data/vendor/nginx/src/http/v2/ngx_http_v2_huff_decode.c +2714 -0
- data/vendor/nginx/src/http/v2/ngx_http_v2_huff_encode.c +254 -0
- data/vendor/nginx/src/http/v2/ngx_http_v2_module.c +469 -0
- data/vendor/nginx/src/http/{ngx_http_spdy_module.h → v2/ngx_http_v2_module.h} +10 -9
- data/vendor/nginx/src/http/v2/ngx_http_v2_table.c +349 -0
- data/vendor/nginx/src/mail/ngx_mail.c +49 -82
- data/vendor/nginx/src/mail/ngx_mail.h +16 -23
- data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c +1 -1
- data/vendor/nginx/src/mail/ngx_mail_core_module.c +60 -34
- data/vendor/nginx/src/mail/ngx_mail_handler.c +17 -12
- data/vendor/nginx/src/mail/ngx_mail_proxy_module.c +1 -14
- data/vendor/nginx/src/mail/ngx_mail_smtp_handler.c +1 -1
- data/vendor/nginx/src/mail/ngx_mail_ssl_module.c +5 -5
- data/vendor/nginx/src/os/unix/ngx_atomic.h +10 -10
- data/vendor/nginx/src/os/unix/ngx_channel.h +4 -4
- data/vendor/nginx/src/os/unix/ngx_darwin_config.h +2 -0
- data/vendor/nginx/src/os/unix/ngx_darwin_init.c +1 -0
- data/vendor/nginx/src/os/unix/ngx_dlopen.c +28 -0
- data/vendor/nginx/src/os/unix/ngx_dlopen.h +31 -0
- data/vendor/nginx/src/os/unix/ngx_errno.h +1 -0
- data/vendor/nginx/src/os/unix/ngx_file_aio_read.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_files.c +313 -80
- data/vendor/nginx/src/os/unix/ngx_files.h +5 -2
- data/vendor/nginx/src/os/unix/ngx_freebsd_config.h +3 -1
- data/vendor/nginx/src/os/unix/ngx_freebsd_init.c +1 -0
- data/vendor/nginx/src/os/unix/ngx_freebsd_sendfile_chain.c +13 -0
- data/vendor/nginx/src/os/unix/ngx_linux.h +0 -2
- data/vendor/nginx/src/os/unix/ngx_linux_aio_read.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_linux_config.h +2 -6
- data/vendor/nginx/src/os/unix/ngx_linux_init.c +1 -33
- data/vendor/nginx/src/os/unix/ngx_linux_sendfile_chain.c +55 -12
- data/vendor/nginx/src/os/unix/ngx_os.h +3 -9
- data/vendor/nginx/src/os/unix/ngx_posix_config.h +14 -1
- data/vendor/nginx/src/os/unix/ngx_posix_init.c +2 -1
- data/vendor/nginx/src/os/unix/ngx_process.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_process_cycle.c +25 -51
- data/vendor/nginx/src/os/unix/ngx_process_cycle.h +1 -0
- data/vendor/nginx/src/os/unix/ngx_readv_chain.c +24 -28
- data/vendor/nginx/src/os/unix/ngx_recv.c +30 -79
- data/vendor/nginx/src/os/unix/ngx_send.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_setaffinity.c +14 -30
- data/vendor/nginx/src/os/unix/ngx_setaffinity.h +15 -1
- data/vendor/nginx/src/os/unix/ngx_solaris_config.h +2 -0
- data/vendor/nginx/src/os/unix/ngx_solaris_init.c +1 -0
- data/vendor/nginx/src/os/unix/ngx_solaris_sendfilev_chain.c +23 -0
- data/vendor/nginx/src/os/unix/ngx_sunpro_amd64.il +3 -3
- data/vendor/nginx/src/os/unix/ngx_sunpro_x86.il +3 -3
- data/vendor/nginx/src/os/unix/ngx_udp_recv.c +5 -48
- data/vendor/nginx/src/os/unix/ngx_udp_send.c +56 -0
- data/vendor/nginx/src/stream/ngx_stream.c +564 -0
- data/vendor/nginx/src/stream/ngx_stream.h +212 -0
- data/vendor/nginx/src/stream/ngx_stream_access_module.c +451 -0
- data/vendor/nginx/src/stream/ngx_stream_core_module.c +562 -0
- data/vendor/nginx/src/stream/ngx_stream_handler.c +344 -0
- data/vendor/nginx/src/stream/ngx_stream_limit_conn_module.c +632 -0
- data/vendor/nginx/src/stream/ngx_stream_proxy_module.c +1674 -0
- data/vendor/nginx/src/stream/ngx_stream_ssl_module.c +460 -0
- data/vendor/nginx/src/stream/ngx_stream_ssl_module.h +49 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream.c +464 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream.h +107 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream_hash_module.c +656 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream_least_conn_module.c +307 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream_round_robin.c +702 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream_round_robin.h +139 -0
- data/vendor/nginx/src/stream/ngx_stream_upstream_zone_module.c +242 -0
- metadata +39 -15
- data/vendor/nginx/src/event/modules/ngx_aio_module.c +0 -171
- data/vendor/nginx/src/event/modules/ngx_rtsig_module.c +0 -735
- data/vendor/nginx/src/http/ngx_http_spdy.c +0 -3701
- data/vendor/nginx/src/http/ngx_http_spdy.h +0 -261
- data/vendor/nginx/src/http/ngx_http_spdy_filter_module.c +0 -1222
- data/vendor/nginx/src/http/ngx_http_spdy_module.c +0 -408
- data/vendor/nginx/src/os/unix/ngx_aio_read.c +0 -109
- data/vendor/nginx/src/os/unix/ngx_aio_read_chain.c +0 -78
- data/vendor/nginx/src/os/unix/ngx_aio_write.c +0 -109
- data/vendor/nginx/src/os/unix/ngx_aio_write_chain.c +0 -100
@@ -14,7 +14,7 @@
|
|
14
14
|
ngx_int_t
|
15
15
|
ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
16
16
|
{
|
17
|
-
int rc;
|
17
|
+
int rc, type;
|
18
18
|
ngx_int_t event;
|
19
19
|
ngx_err_t err;
|
20
20
|
ngx_uint_t level;
|
@@ -27,9 +27,12 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
27
27
|
return rc;
|
28
28
|
}
|
29
29
|
|
30
|
-
|
30
|
+
type = (pc->type ? pc->type : SOCK_STREAM);
|
31
31
|
|
32
|
-
|
32
|
+
s = ngx_socket(pc->sockaddr->sa_family, type, 0);
|
33
|
+
|
34
|
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d",
|
35
|
+
(type == SOCK_STREAM) ? "stream" : "dgram", s);
|
33
36
|
|
34
37
|
if (s == (ngx_socket_t) -1) {
|
35
38
|
ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
|
@@ -49,6 +52,8 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
49
52
|
return NGX_ERROR;
|
50
53
|
}
|
51
54
|
|
55
|
+
c->type = type;
|
56
|
+
|
52
57
|
if (pc->rcvbuf) {
|
53
58
|
if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
|
54
59
|
(const void *) &pc->rcvbuf, sizeof(int)) == -1)
|
@@ -75,25 +80,31 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
75
80
|
}
|
76
81
|
}
|
77
82
|
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
83
|
+
if (type == SOCK_STREAM) {
|
84
|
+
c->recv = ngx_recv;
|
85
|
+
c->send = ngx_send;
|
86
|
+
c->recv_chain = ngx_recv_chain;
|
87
|
+
c->send_chain = ngx_send_chain;
|
82
88
|
|
83
|
-
|
89
|
+
c->sendfile = 1;
|
84
90
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
c->tcp_nopush = NGX_TCP_NOPUSH_DISABLED;
|
89
|
-
c->tcp_nodelay = NGX_TCP_NODELAY_DISABLED;
|
91
|
+
if (pc->sockaddr->sa_family == AF_UNIX) {
|
92
|
+
c->tcp_nopush = NGX_TCP_NOPUSH_DISABLED;
|
93
|
+
c->tcp_nodelay = NGX_TCP_NODELAY_DISABLED;
|
90
94
|
|
91
95
|
#if (NGX_SOLARIS)
|
92
|
-
|
93
|
-
|
96
|
+
/* Solaris's sendfilev() supports AF_NCA, AF_INET, and AF_INET6 */
|
97
|
+
c->sendfile = 0;
|
94
98
|
#endif
|
99
|
+
}
|
100
|
+
|
101
|
+
} else { /* type == SOCK_DGRAM */
|
102
|
+
c->recv = ngx_udp_recv;
|
103
|
+
c->send = ngx_send;
|
95
104
|
}
|
96
105
|
|
106
|
+
c->log_error = pc->log_error;
|
107
|
+
|
97
108
|
rev = c->read;
|
98
109
|
wev = c->write;
|
99
110
|
|
@@ -171,13 +182,11 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
171
182
|
return NGX_OK;
|
172
183
|
}
|
173
184
|
|
174
|
-
if (ngx_event_flags &
|
185
|
+
if (ngx_event_flags & NGX_USE_IOCP_EVENT) {
|
175
186
|
|
176
187
|
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, ngx_socket_errno,
|
177
188
|
"connect(): %d", rc);
|
178
189
|
|
179
|
-
/* aio, iocp */
|
180
|
-
|
181
190
|
if (ngx_blocking(s) == -1) {
|
182
191
|
ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
|
183
192
|
ngx_blocking_n " failed");
|
@@ -39,6 +39,9 @@ ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
|
|
39
39
|
static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
|
40
40
|
ngx_ssl_session_t *sess);
|
41
41
|
static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
|
42
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
|
43
|
+
const
|
44
|
+
#endif
|
42
45
|
u_char *id, int len, int *copy);
|
43
46
|
static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
|
44
47
|
static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
|
@@ -52,7 +55,7 @@ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
52
55
|
HMAC_CTX *hctx, int enc);
|
53
56
|
#endif
|
54
57
|
|
55
|
-
#if
|
58
|
+
#if OPENSSL_VERSION_NUMBER < 0x10002002L
|
56
59
|
static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
|
57
60
|
#endif
|
58
61
|
|
@@ -108,6 +111,12 @@ int ngx_ssl_stapling_index;
|
|
108
111
|
ngx_int_t
|
109
112
|
ngx_ssl_init(ngx_log_t *log)
|
110
113
|
{
|
114
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
|
115
|
+
|
116
|
+
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
117
|
+
|
118
|
+
#else
|
119
|
+
|
111
120
|
#ifndef OPENSSL_IS_BORINGSSL
|
112
121
|
OPENSSL_config(NULL);
|
113
122
|
#endif
|
@@ -117,6 +126,8 @@ ngx_ssl_init(ngx_log_t *log)
|
|
117
126
|
|
118
127
|
OpenSSL_add_all_algorithms();
|
119
128
|
|
129
|
+
#endif
|
130
|
+
|
120
131
|
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
121
132
|
#ifndef SSL_OP_NO_COMPRESSION
|
122
133
|
{
|
@@ -747,7 +758,7 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
|
747
758
|
return NULL;
|
748
759
|
}
|
749
760
|
|
750
|
-
#
|
761
|
+
#if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
|
751
762
|
|
752
763
|
if (key == NULL) {
|
753
764
|
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
|
@@ -1160,6 +1171,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
|
1160
1171
|
c->recv_chain = ngx_ssl_recv_chain;
|
1161
1172
|
c->send_chain = ngx_ssl_send_chain;
|
1162
1173
|
|
1174
|
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
1163
1175
|
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
1164
1176
|
|
1165
1177
|
/* initial handshake done, disable renegotiation (CVE-2009-3555) */
|
@@ -1167,6 +1179,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
|
1167
1179
|
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
1168
1180
|
}
|
1169
1181
|
|
1182
|
+
#endif
|
1170
1183
|
#endif
|
1171
1184
|
|
1172
1185
|
return NGX_OK;
|
@@ -1594,7 +1607,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
|
1594
1607
|
}
|
1595
1608
|
|
1596
1609
|
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
1597
|
-
"SSL buf copy: %
|
1610
|
+
"SSL buf copy: %z", size);
|
1598
1611
|
|
1599
1612
|
ngx_memcpy(buf->last, in->buf->pos, size);
|
1600
1613
|
|
@@ -1666,7 +1679,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
|
|
1666
1679
|
|
1667
1680
|
ngx_ssl_clear_error(c->log);
|
1668
1681
|
|
1669
|
-
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %
|
1682
|
+
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
|
1670
1683
|
|
1671
1684
|
n = SSL_write(c->ssl->connection, data, size);
|
1672
1685
|
|
@@ -1765,6 +1778,19 @@ ngx_ssl_shutdown(ngx_connection_t *c)
|
|
1765
1778
|
int n, sslerr, mode;
|
1766
1779
|
ngx_err_t err;
|
1767
1780
|
|
1781
|
+
if (SSL_in_init(c->ssl->connection)) {
|
1782
|
+
/*
|
1783
|
+
* OpenSSL 1.0.2f complains if SSL_shutdown() is called during
|
1784
|
+
* an SSL handshake, while previous versions always return 0.
|
1785
|
+
* Avoid calling SSL_shutdown() if handshake wasn't completed.
|
1786
|
+
*/
|
1787
|
+
|
1788
|
+
SSL_free(c->ssl->connection);
|
1789
|
+
c->ssl = NULL;
|
1790
|
+
|
1791
|
+
return NGX_OK;
|
1792
|
+
}
|
1793
|
+
|
1768
1794
|
if (c->timedout) {
|
1769
1795
|
mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
|
1770
1796
|
SSL_set_quiet_shutdown(c->ssl->connection, 1);
|
@@ -1795,7 +1821,7 @@ ngx_ssl_shutdown(ngx_connection_t *c)
|
|
1795
1821
|
|
1796
1822
|
sslerr = 0;
|
1797
1823
|
|
1798
|
-
/* SSL_shutdown()
|
1824
|
+
/* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */
|
1799
1825
|
|
1800
1826
|
if (n != 1 && ERR_peek_error()) {
|
1801
1827
|
sslerr = SSL_get_error(c->ssl->connection, n);
|
@@ -1941,6 +1967,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
|
1941
1967
|
|| n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
|
1942
1968
|
#endif
|
1943
1969
|
|| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
|
1970
|
+
#ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
|
1944
1971
|
|| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
|
1945
1972
|
|| n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
|
1946
1973
|
|| n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
|
@@ -1963,7 +1990,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
|
1963
1990
|
|| n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
|
1964
1991
|
|| n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
|
1965
1992
|
|| n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
|
1966
|
-
|| n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION
|
1993
|
+
|| n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
|
1994
|
+
#endif
|
1995
|
+
)
|
1967
1996
|
{
|
1968
1997
|
switch (c->log_error) {
|
1969
1998
|
|
@@ -2045,7 +2074,7 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
|
|
2045
2074
|
(void) ERR_get_error();
|
2046
2075
|
}
|
2047
2076
|
|
2048
|
-
ngx_log_error(level, log, err, "
|
2077
|
+
ngx_log_error(level, log, err, "%*s)", p - errstr, errstr);
|
2049
2078
|
}
|
2050
2079
|
|
2051
2080
|
|
@@ -2128,7 +2157,7 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2128
2157
|
int n, i;
|
2129
2158
|
X509 *cert;
|
2130
2159
|
X509_NAME *name;
|
2131
|
-
EVP_MD_CTX
|
2160
|
+
EVP_MD_CTX *md;
|
2132
2161
|
unsigned int len;
|
2133
2162
|
STACK_OF(X509_NAME) *list;
|
2134
2163
|
u_char buf[EVP_MAX_MD_SIZE];
|
@@ -2138,15 +2167,18 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2138
2167
|
* the server certificate, and the client CA list.
|
2139
2168
|
*/
|
2140
2169
|
|
2141
|
-
|
2170
|
+
md = EVP_MD_CTX_create();
|
2171
|
+
if (md == NULL) {
|
2172
|
+
return NGX_ERROR;
|
2173
|
+
}
|
2142
2174
|
|
2143
|
-
if (EVP_DigestInit_ex(
|
2175
|
+
if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) {
|
2144
2176
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2145
2177
|
"EVP_DigestInit_ex() failed");
|
2146
2178
|
goto failed;
|
2147
2179
|
}
|
2148
2180
|
|
2149
|
-
if (EVP_DigestUpdate(
|
2181
|
+
if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) {
|
2150
2182
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2151
2183
|
"EVP_DigestUpdate() failed");
|
2152
2184
|
goto failed;
|
@@ -2160,7 +2192,7 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2160
2192
|
goto failed;
|
2161
2193
|
}
|
2162
2194
|
|
2163
|
-
if (EVP_DigestUpdate(
|
2195
|
+
if (EVP_DigestUpdate(md, buf, len) == 0) {
|
2164
2196
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2165
2197
|
"EVP_DigestUpdate() failed");
|
2166
2198
|
goto failed;
|
@@ -2180,7 +2212,7 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2180
2212
|
goto failed;
|
2181
2213
|
}
|
2182
2214
|
|
2183
|
-
if (EVP_DigestUpdate(
|
2215
|
+
if (EVP_DigestUpdate(md, buf, len) == 0) {
|
2184
2216
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2185
2217
|
"EVP_DigestUpdate() failed");
|
2186
2218
|
goto failed;
|
@@ -2188,13 +2220,13 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2188
2220
|
}
|
2189
2221
|
}
|
2190
2222
|
|
2191
|
-
if (EVP_DigestFinal_ex(
|
2223
|
+
if (EVP_DigestFinal_ex(md, buf, &len) == 0) {
|
2192
2224
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2193
2225
|
"EVP_DigestUpdate() failed");
|
2194
2226
|
goto failed;
|
2195
2227
|
}
|
2196
2228
|
|
2197
|
-
|
2229
|
+
EVP_MD_CTX_destroy(md);
|
2198
2230
|
|
2199
2231
|
if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
|
2200
2232
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
@@ -2206,7 +2238,7 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
2206
2238
|
|
2207
2239
|
failed:
|
2208
2240
|
|
2209
|
-
|
2241
|
+
EVP_MD_CTX_destroy(md);
|
2210
2242
|
|
2211
2243
|
return NGX_ERROR;
|
2212
2244
|
}
|
@@ -2427,8 +2459,11 @@ failed:
|
|
2427
2459
|
|
2428
2460
|
|
2429
2461
|
static ngx_ssl_session_t *
|
2430
|
-
ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
|
2431
|
-
|
2462
|
+
ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
|
2463
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
|
2464
|
+
const
|
2465
|
+
#endif
|
2466
|
+
u_char *id, int len, int *copy)
|
2432
2467
|
{
|
2433
2468
|
#if OPENSSL_VERSION_NUMBER >= 0x0090707fL
|
2434
2469
|
const
|
@@ -2445,7 +2480,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len,
|
|
2445
2480
|
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
2446
2481
|
ngx_connection_t *c;
|
2447
2482
|
|
2448
|
-
hash = ngx_crc32_short(id, (size_t) len);
|
2483
|
+
hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
|
2449
2484
|
*copy = 0;
|
2450
2485
|
|
2451
2486
|
c = ngx_ssl_get_connection(ssl_conn);
|
@@ -2483,7 +2518,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len,
|
|
2483
2518
|
|
2484
2519
|
sess_id = (ngx_ssl_sess_id_t *) node;
|
2485
2520
|
|
2486
|
-
rc = ngx_memn2cmp(
|
2521
|
+
rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id,
|
2522
|
+
(size_t) len, (size_t) node->data);
|
2487
2523
|
|
2488
2524
|
if (rc == 0) {
|
2489
2525
|
|
@@ -2527,9 +2563,9 @@ done:
|
|
2527
2563
|
void
|
2528
2564
|
ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
2529
2565
|
{
|
2530
|
-
|
2566
|
+
SSL_CTX_remove_session(ssl, sess);
|
2531
2567
|
|
2532
|
-
|
2568
|
+
ngx_ssl_remove_session(ssl, sess);
|
2533
2569
|
}
|
2534
2570
|
|
2535
2571
|
|
@@ -2856,7 +2892,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
2856
2892
|
ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
|
2857
2893
|
SSL_session_reused(ssl_conn) ? "reused" : "new");
|
2858
2894
|
|
2859
|
-
|
2895
|
+
RAND_bytes(iv, 16);
|
2860
2896
|
EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv);
|
2861
2897
|
HMAC_Init_ex(hctx, key[0].hmac_key, 16,
|
2862
2898
|
ngx_ssl_session_ticket_md(), NULL);
|
@@ -2929,7 +2965,7 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
|
|
2929
2965
|
return NGX_ERROR;
|
2930
2966
|
}
|
2931
2967
|
|
2932
|
-
#if
|
2968
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10002002L
|
2933
2969
|
|
2934
2970
|
/* X509_check_host() is only available in OpenSSL 1.0.2+ */
|
2935
2971
|
|
@@ -3046,7 +3082,7 @@ found:
|
|
3046
3082
|
}
|
3047
3083
|
|
3048
3084
|
|
3049
|
-
#if
|
3085
|
+
#if OPENSSL_VERSION_NUMBER < 0x10002002L
|
3050
3086
|
|
3051
3087
|
static ngx_int_t
|
3052
3088
|
ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
|
@@ -3523,8 +3559,12 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
3523
3559
|
static void
|
3524
3560
|
ngx_openssl_exit(ngx_cycle_t *cycle)
|
3525
3561
|
{
|
3562
|
+
#if OPENSSL_VERSION_NUMBER < 0x10100003L
|
3563
|
+
|
3526
3564
|
EVP_cleanup();
|
3527
3565
|
#ifndef OPENSSL_NO_ENGINE
|
3528
3566
|
ENGINE_cleanup();
|
3529
3567
|
#endif
|
3568
|
+
|
3569
|
+
#endif
|
3530
3570
|
}
|
@@ -33,6 +33,23 @@
|
|
33
33
|
#define NGX_SSL_NAME "OpenSSL"
|
34
34
|
|
35
35
|
|
36
|
+
#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
|
37
|
+
#undef OPENSSL_VERSION_NUMBER
|
38
|
+
#define OPENSSL_VERSION_NUMBER 0x1000107fL
|
39
|
+
#endif
|
40
|
+
|
41
|
+
|
42
|
+
#if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
|
43
|
+
|
44
|
+
#define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION)
|
45
|
+
|
46
|
+
#else
|
47
|
+
|
48
|
+
#define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION)
|
49
|
+
|
50
|
+
#endif
|
51
|
+
|
52
|
+
|
36
53
|
#define ngx_ssl_session_t SSL_SESSION
|
37
54
|
#define ngx_ssl_conn_t SSL
|
38
55
|
|
@@ -32,6 +32,7 @@ typedef struct {
|
|
32
32
|
X509 *issuer;
|
33
33
|
|
34
34
|
time_t valid;
|
35
|
+
time_t refresh;
|
35
36
|
|
36
37
|
unsigned verify:1;
|
37
38
|
unsigned loading:1;
|
@@ -93,6 +94,8 @@ static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
|
|
93
94
|
static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
|
94
95
|
static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
|
95
96
|
|
97
|
+
static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time);
|
98
|
+
|
96
99
|
static void ngx_ssl_stapling_cleanup(void *data);
|
97
100
|
|
98
101
|
static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void);
|
@@ -242,6 +245,7 @@ ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
|
|
242
245
|
|
243
246
|
staple->staple.data = buf;
|
244
247
|
staple->staple.len = len;
|
248
|
+
staple->valid = NGX_MAX_TIME_T_VALUE;
|
245
249
|
|
246
250
|
return NGX_OK;
|
247
251
|
|
@@ -281,7 +285,11 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
|
|
281
285
|
for (i = 0; i < n; i++) {
|
282
286
|
issuer = sk_X509_value(chain, i);
|
283
287
|
if (X509_check_issued(issuer, cert) == X509_V_OK) {
|
288
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100001L
|
289
|
+
X509_up_ref(issuer);
|
290
|
+
#else
|
284
291
|
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
|
292
|
+
#endif
|
285
293
|
|
286
294
|
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
|
287
295
|
"SSL get issuer: found %p in extra certs", issuer);
|
@@ -462,7 +470,9 @@ ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
|
|
462
470
|
staple = data;
|
463
471
|
rc = SSL_TLSEXT_ERR_NOACK;
|
464
472
|
|
465
|
-
if (staple->staple.len
|
473
|
+
if (staple->staple.len
|
474
|
+
&& staple->valid >= ngx_time())
|
475
|
+
{
|
466
476
|
/* we have to copy ocsp response as OpenSSL will free it by itself */
|
467
477
|
|
468
478
|
p = OPENSSL_malloc(staple->staple.len);
|
@@ -490,7 +500,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
|
|
490
500
|
ngx_ssl_ocsp_ctx_t *ctx;
|
491
501
|
|
492
502
|
if (staple->host.len == 0
|
493
|
-
|| staple->loading || staple->
|
503
|
+
|| staple->loading || staple->refresh >= ngx_time())
|
494
504
|
{
|
495
505
|
return;
|
496
506
|
}
|
@@ -532,6 +542,7 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
|
|
532
542
|
u_char *p;
|
533
543
|
int n;
|
534
544
|
size_t len;
|
545
|
+
time_t now, valid;
|
535
546
|
ngx_str_t response;
|
536
547
|
X509_STORE *store;
|
537
548
|
STACK_OF(X509) *chain;
|
@@ -542,6 +553,7 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
|
|
542
553
|
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
|
543
554
|
|
544
555
|
staple = ctx->data;
|
556
|
+
now = ngx_time();
|
545
557
|
ocsp = NULL;
|
546
558
|
basic = NULL;
|
547
559
|
id = NULL;
|
@@ -629,17 +641,33 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
|
|
629
641
|
goto error;
|
630
642
|
}
|
631
643
|
|
644
|
+
if (nextupdate) {
|
645
|
+
valid = ngx_ssl_stapling_time(nextupdate);
|
646
|
+
if (valid == (time_t) NGX_ERROR) {
|
647
|
+
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
|
648
|
+
"invalid nextUpdate time in certificate status");
|
649
|
+
goto error;
|
650
|
+
}
|
651
|
+
|
652
|
+
} else {
|
653
|
+
valid = NGX_MAX_TIME_T_VALUE;
|
654
|
+
}
|
655
|
+
|
632
656
|
OCSP_CERTID_free(id);
|
633
657
|
OCSP_BASICRESP_free(basic);
|
634
658
|
OCSP_RESPONSE_free(ocsp);
|
635
659
|
|
660
|
+
id = NULL;
|
661
|
+
basic = NULL;
|
662
|
+
ocsp = NULL;
|
663
|
+
|
636
664
|
/* copy the response to memory not in ctx->pool */
|
637
665
|
|
638
666
|
response.len = len;
|
639
667
|
response.data = ngx_alloc(response.len, ctx->log);
|
640
668
|
|
641
669
|
if (response.data == NULL) {
|
642
|
-
goto
|
670
|
+
goto error;
|
643
671
|
}
|
644
672
|
|
645
673
|
ngx_memcpy(response.data, ctx->response->pos, response.len);
|
@@ -653,11 +681,15 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
|
|
653
681
|
}
|
654
682
|
|
655
683
|
staple->staple = response;
|
684
|
+
staple->valid = valid;
|
656
685
|
|
657
|
-
|
686
|
+
/*
|
687
|
+
* refresh before the response expires,
|
688
|
+
* but not earlier than in 5 minutes, and at least in an hour
|
689
|
+
*/
|
658
690
|
|
659
691
|
staple->loading = 0;
|
660
|
-
staple->
|
692
|
+
staple->refresh = ngx_max(ngx_min(valid - 300, now + 3600), now + 300);
|
661
693
|
|
662
694
|
ngx_ssl_ocsp_done(ctx);
|
663
695
|
return;
|
@@ -665,7 +697,7 @@ done:
|
|
665
697
|
error:
|
666
698
|
|
667
699
|
staple->loading = 0;
|
668
|
-
staple->
|
700
|
+
staple->refresh = now + 300;
|
669
701
|
|
670
702
|
if (id) {
|
671
703
|
OCSP_CERTID_free(id);
|
@@ -683,6 +715,40 @@ error:
|
|
683
715
|
}
|
684
716
|
|
685
717
|
|
718
|
+
static time_t
|
719
|
+
ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time)
|
720
|
+
{
|
721
|
+
u_char *value;
|
722
|
+
size_t len;
|
723
|
+
time_t time;
|
724
|
+
BIO *bio;
|
725
|
+
|
726
|
+
/*
|
727
|
+
* OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME
|
728
|
+
* into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(),
|
729
|
+
* which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
|
730
|
+
* "Feb 3 00:55:52 2015 GMT"), and parse the result.
|
731
|
+
*/
|
732
|
+
|
733
|
+
bio = BIO_new(BIO_s_mem());
|
734
|
+
if (bio == NULL) {
|
735
|
+
return NGX_ERROR;
|
736
|
+
}
|
737
|
+
|
738
|
+
/* fake weekday prepended to match C asctime() format */
|
739
|
+
|
740
|
+
BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
|
741
|
+
ASN1_GENERALIZEDTIME_print(bio, asn1time);
|
742
|
+
len = BIO_get_mem_data(bio, &value);
|
743
|
+
|
744
|
+
time = ngx_parse_http_time(value, len);
|
745
|
+
|
746
|
+
BIO_free(bio);
|
747
|
+
|
748
|
+
return time;
|
749
|
+
}
|
750
|
+
|
751
|
+
|
686
752
|
static void
|
687
753
|
ngx_ssl_stapling_cleanup(void *data)
|
688
754
|
{
|
@@ -1157,7 +1223,7 @@ ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
|
|
1157
1223
|
|
1158
1224
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
|
1159
1225
|
"ssl ocsp request length %z, escape %d",
|
1160
|
-
base64.len, escape);
|
1226
|
+
base64.len, (int) escape);
|
1161
1227
|
|
1162
1228
|
len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
|
1163
1229
|
+ base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
|