Back to home page

Nginx displayed by LXR

Source navigation ]
Diff markup ]
Identifier search ]
general search ]
 
 
Version: nginx-1.15.11 ]​[ nginx-1.14.2 ]​

0001 
0002 /*
0003  * Copyright (C) Igor Sysoev
0004  * Copyright (C) Nginx, Inc.
0005  */
0006 
0007 
0008 #include <ngx_config.h>
0009 #include <ngx_core.h>
0010 #include <ngx_http.h>
0011 
0012 
0013 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
0014     ngx_pool_t *pool, ngx_str_t *s);
0015 
0016 
0017 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
0018 #define NGX_DEFAULT_ECDH_CURVE  "auto"
0019 
0020 #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
0021 
0022 
0023 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
0024 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
0025     const unsigned char **out, unsigned char *outlen,
0026     const unsigned char *in, unsigned int inlen, void *arg);
0027 #endif
0028 
0029 #ifdef TLSEXT_TYPE_next_proto_neg
0030 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
0031     const unsigned char **out, unsigned int *outlen, void *arg);
0032 #endif
0033 
0034 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
0035     ngx_http_variable_value_t *v, uintptr_t data);
0036 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
0037     ngx_http_variable_value_t *v, uintptr_t data);
0038 
0039 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
0040 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
0041 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
0042     void *parent, void *child);
0043 
0044 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
0045     ngx_http_ssl_srv_conf_t *conf);
0046 
0047 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
0048     void *conf);
0049 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
0050     void *conf);
0051 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
0052     void *conf);
0053 
0054 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
0055 
0056 
0057 static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
0058     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
0059     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
0060     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
0061     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
0062     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
0063     { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
0064     { ngx_null_string, 0 }
0065 };
0066 
0067 
0068 static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
0069     { ngx_string("off"), 0 },
0070     { ngx_string("on"), 1 },
0071     { ngx_string("optional"), 2 },
0072     { ngx_string("optional_no_ca"), 3 },
0073     { ngx_null_string, 0 }
0074 };
0075 
0076 
0077 static ngx_conf_deprecated_t  ngx_http_ssl_deprecated = {
0078     ngx_conf_deprecated, "ssl", "listen ... ssl"
0079 };
0080 
0081 
0082 static ngx_command_t  ngx_http_ssl_commands[] = {
0083 
0084     { ngx_string("ssl"),
0085       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0086       ngx_http_ssl_enable,
0087       NGX_HTTP_SRV_CONF_OFFSET,
0088       offsetof(ngx_http_ssl_srv_conf_t, enable),
0089       &ngx_http_ssl_deprecated },
0090 
0091     { ngx_string("ssl_certificate"),
0092       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0093       ngx_conf_set_str_array_slot,
0094       NGX_HTTP_SRV_CONF_OFFSET,
0095       offsetof(ngx_http_ssl_srv_conf_t, certificates),
0096       NULL },
0097 
0098     { ngx_string("ssl_certificate_key"),
0099       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0100       ngx_conf_set_str_array_slot,
0101       NGX_HTTP_SRV_CONF_OFFSET,
0102       offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
0103       NULL },
0104 
0105     { ngx_string("ssl_password_file"),
0106       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0107       ngx_http_ssl_password_file,
0108       NGX_HTTP_SRV_CONF_OFFSET,
0109       0,
0110       NULL },
0111 
0112     { ngx_string("ssl_dhparam"),
0113       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0114       ngx_conf_set_str_slot,
0115       NGX_HTTP_SRV_CONF_OFFSET,
0116       offsetof(ngx_http_ssl_srv_conf_t, dhparam),
0117       NULL },
0118 
0119     { ngx_string("ssl_ecdh_curve"),
0120       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0121       ngx_conf_set_str_slot,
0122       NGX_HTTP_SRV_CONF_OFFSET,
0123       offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
0124       NULL },
0125 
0126     { ngx_string("ssl_protocols"),
0127       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
0128       ngx_conf_set_bitmask_slot,
0129       NGX_HTTP_SRV_CONF_OFFSET,
0130       offsetof(ngx_http_ssl_srv_conf_t, protocols),
0131       &ngx_http_ssl_protocols },
0132 
0133     { ngx_string("ssl_ciphers"),
0134       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0135       ngx_conf_set_str_slot,
0136       NGX_HTTP_SRV_CONF_OFFSET,
0137       offsetof(ngx_http_ssl_srv_conf_t, ciphers),
0138       NULL },
0139 
0140     { ngx_string("ssl_buffer_size"),
0141       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0142       ngx_conf_set_size_slot,
0143       NGX_HTTP_SRV_CONF_OFFSET,
0144       offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
0145       NULL },
0146 
0147     { ngx_string("ssl_verify_client"),
0148       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0149       ngx_conf_set_enum_slot,
0150       NGX_HTTP_SRV_CONF_OFFSET,
0151       offsetof(ngx_http_ssl_srv_conf_t, verify),
0152       &ngx_http_ssl_verify },
0153 
0154     { ngx_string("ssl_verify_depth"),
0155       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0156       ngx_conf_set_num_slot,
0157       NGX_HTTP_SRV_CONF_OFFSET,
0158       offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
0159       NULL },
0160 
0161     { ngx_string("ssl_client_certificate"),
0162       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0163       ngx_conf_set_str_slot,
0164       NGX_HTTP_SRV_CONF_OFFSET,
0165       offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
0166       NULL },
0167 
0168     { ngx_string("ssl_trusted_certificate"),
0169       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0170       ngx_conf_set_str_slot,
0171       NGX_HTTP_SRV_CONF_OFFSET,
0172       offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
0173       NULL },
0174 
0175     { ngx_string("ssl_prefer_server_ciphers"),
0176       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0177       ngx_conf_set_flag_slot,
0178       NGX_HTTP_SRV_CONF_OFFSET,
0179       offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
0180       NULL },
0181 
0182     { ngx_string("ssl_session_cache"),
0183       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
0184       ngx_http_ssl_session_cache,
0185       NGX_HTTP_SRV_CONF_OFFSET,
0186       0,
0187       NULL },
0188 
0189     { ngx_string("ssl_session_tickets"),
0190       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0191       ngx_conf_set_flag_slot,
0192       NGX_HTTP_SRV_CONF_OFFSET,
0193       offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
0194       NULL },
0195 
0196     { ngx_string("ssl_session_ticket_key"),
0197       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0198       ngx_conf_set_str_array_slot,
0199       NGX_HTTP_SRV_CONF_OFFSET,
0200       offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
0201       NULL },
0202 
0203     { ngx_string("ssl_session_timeout"),
0204       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0205       ngx_conf_set_sec_slot,
0206       NGX_HTTP_SRV_CONF_OFFSET,
0207       offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
0208       NULL },
0209 
0210     { ngx_string("ssl_crl"),
0211       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0212       ngx_conf_set_str_slot,
0213       NGX_HTTP_SRV_CONF_OFFSET,
0214       offsetof(ngx_http_ssl_srv_conf_t, crl),
0215       NULL },
0216 
0217     { ngx_string("ssl_stapling"),
0218       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0219       ngx_conf_set_flag_slot,
0220       NGX_HTTP_SRV_CONF_OFFSET,
0221       offsetof(ngx_http_ssl_srv_conf_t, stapling),
0222       NULL },
0223 
0224     { ngx_string("ssl_stapling_file"),
0225       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0226       ngx_conf_set_str_slot,
0227       NGX_HTTP_SRV_CONF_OFFSET,
0228       offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
0229       NULL },
0230 
0231     { ngx_string("ssl_stapling_responder"),
0232       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
0233       ngx_conf_set_str_slot,
0234       NGX_HTTP_SRV_CONF_OFFSET,
0235       offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
0236       NULL },
0237 
0238     { ngx_string("ssl_stapling_verify"),
0239       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0240       ngx_conf_set_flag_slot,
0241       NGX_HTTP_SRV_CONF_OFFSET,
0242       offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
0243       NULL },
0244 
0245     { ngx_string("ssl_early_data"),
0246       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
0247       ngx_conf_set_flag_slot,
0248       NGX_HTTP_SRV_CONF_OFFSET,
0249       offsetof(ngx_http_ssl_srv_conf_t, early_data),
0250       NULL },
0251 
0252       ngx_null_command
0253 };
0254 
0255 
0256 static ngx_http_module_t  ngx_http_ssl_module_ctx = {
0257     ngx_http_ssl_add_variables,            /* preconfiguration */
0258     ngx_http_ssl_init,                     /* postconfiguration */
0259 
0260     NULL,                                  /* create main configuration */
0261     NULL,                                  /* init main configuration */
0262 
0263     ngx_http_ssl_create_srv_conf,          /* create server configuration */
0264     ngx_http_ssl_merge_srv_conf,           /* merge server configuration */
0265 
0266     NULL,                                  /* create location configuration */
0267     NULL                                   /* merge location configuration */
0268 };
0269 
0270 
0271 ngx_module_t  ngx_http_ssl_module = {
0272     NGX_MODULE_V1,
0273     &ngx_http_ssl_module_ctx,              /* module context */
0274     ngx_http_ssl_commands,                 /* module directives */
0275     NGX_HTTP_MODULE,                       /* module type */
0276     NULL,                                  /* init master */
0277     NULL,                                  /* init module */
0278     NULL,                                  /* init process */
0279     NULL,                                  /* init thread */
0280     NULL,                                  /* exit thread */
0281     NULL,                                  /* exit process */
0282     NULL,                                  /* exit master */
0283     NGX_MODULE_V1_PADDING
0284 };
0285 
0286 
0287 static ngx_http_variable_t  ngx_http_ssl_vars[] = {
0288 
0289     { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
0290       (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
0291 
0292     { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
0293       (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
0294 
0295     { ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
0296       (uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },
0297 
0298     { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
0299       (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
0300 
0301     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
0302       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
0303 
0304     { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
0305       (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
0306 
0307     { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
0308       (uintptr_t) ngx_ssl_get_early_data,
0309       NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
0310 
0311     { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
0312       (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
0313 
0314     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
0315       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
0316 
0317     { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
0318       (uintptr_t) ngx_ssl_get_raw_certificate,
0319       NGX_HTTP_VAR_CHANGEABLE, 0 },
0320 
0321     { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
0322       (uintptr_t) ngx_ssl_get_escaped_certificate,
0323       NGX_HTTP_VAR_CHANGEABLE, 0 },
0324 
0325     { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
0326       (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
0327 
0328     { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
0329       (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
0330 
0331     { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
0332       (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
0333 
0334     { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
0335       (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
0336 
0337     { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
0338       (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
0339 
0340     { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
0341       (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },
0342 
0343     { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
0344       (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
0345 
0346     { ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable,
0347       (uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 },
0348 
0349     { ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable,
0350       (uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 },
0351 
0352     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
0353       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
0354 
0355       ngx_http_null_variable
0356 };
0357 
0358 
0359 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
0360 
0361 
0362 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
0363 
0364 static int
0365 ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
0366     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
0367     void *arg)
0368 {
0369     unsigned int            srvlen;
0370     unsigned char          *srv;
0371 #if (NGX_DEBUG)
0372     unsigned int            i;
0373 #endif
0374 #if (NGX_HTTP_V2)
0375     ngx_http_connection_t  *hc;
0376 #endif
0377 #if (NGX_HTTP_V2 || NGX_DEBUG)
0378     ngx_connection_t       *c;
0379 
0380     c = ngx_ssl_get_connection(ssl_conn);
0381 #endif
0382 
0383 #if (NGX_DEBUG)
0384     for (i = 0; i < inlen; i += in[i] + 1) {
0385         ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
0386                        "SSL ALPN supported by client: %*s",
0387                        (size_t) in[i], &in[i + 1]);
0388     }
0389 #endif
0390 
0391 #if (NGX_HTTP_V2)
0392     hc = c->data;
0393 
0394     if (hc->addr_conf->http2) {
0395         srv =
0396            (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
0397         srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
0398 
0399     } else
0400 #endif
0401     {
0402         srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
0403         srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
0404     }
0405 
0406     if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
0407                               in, inlen)
0408         != OPENSSL_NPN_NEGOTIATED)
0409     {
0410         return SSL_TLSEXT_ERR_NOACK;
0411     }
0412 
0413     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
0414                    "SSL ALPN selected: %*s", (size_t) *outlen, *out);
0415 
0416     return SSL_TLSEXT_ERR_OK;
0417 }
0418 
0419 #endif
0420 
0421 
0422 #ifdef TLSEXT_TYPE_next_proto_neg
0423 
0424 static int
0425 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
0426     const unsigned char **out, unsigned int *outlen, void *arg)
0427 {
0428 #if (NGX_HTTP_V2 || NGX_DEBUG)
0429     ngx_connection_t  *c;
0430 
0431     c = ngx_ssl_get_connection(ssl_conn);
0432     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
0433 #endif
0434 
0435 #if (NGX_HTTP_V2)
0436     {
0437     ngx_http_connection_t  *hc;
0438 
0439     hc = c->data;
0440 
0441     if (hc->addr_conf->http2) {
0442         *out =
0443             (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
0444         *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
0445 
0446         return SSL_TLSEXT_ERR_OK;
0447     }
0448     }
0449 #endif
0450 
0451     *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
0452     *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
0453 
0454     return SSL_TLSEXT_ERR_OK;
0455 }
0456 
0457 #endif
0458 
0459 
0460 static ngx_int_t
0461 ngx_http_ssl_static_variable(ngx_http_request_t *r,
0462     ngx_http_variable_value_t *v, uintptr_t data)
0463 {
0464     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;
0465 
0466     size_t     len;
0467     ngx_str_t  s;
0468 
0469     if (r->connection->ssl) {
0470 
0471         (void) handler(r->connection, NULL, &s);
0472 
0473         v->data = s.data;
0474 
0475         for (len = 0; v->data[len]; len++) { /* void */ }
0476 
0477         v->len = len;
0478         v->valid = 1;
0479         v->no_cacheable = 0;
0480         v->not_found = 0;
0481 
0482         return NGX_OK;
0483     }
0484 
0485     v->not_found = 1;
0486 
0487     return NGX_OK;
0488 }
0489 
0490 
0491 static ngx_int_t
0492 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
0493     uintptr_t data)
0494 {
0495     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;
0496 
0497     ngx_str_t  s;
0498 
0499     if (r->connection->ssl) {
0500 
0501         if (handler(r->connection, r->pool, &s) != NGX_OK) {
0502             return NGX_ERROR;
0503         }
0504 
0505         v->len = s.len;
0506         v->data = s.data;
0507 
0508         if (v->len) {
0509             v->valid = 1;
0510             v->no_cacheable = 0;
0511             v->not_found = 0;
0512 
0513             return NGX_OK;
0514         }
0515     }
0516 
0517     v->not_found = 1;
0518 
0519     return NGX_OK;
0520 }
0521 
0522 
0523 static ngx_int_t
0524 ngx_http_ssl_add_variables(ngx_conf_t *cf)
0525 {
0526     ngx_http_variable_t  *var, *v;
0527 
0528     for (v = ngx_http_ssl_vars; v->name.len; v++) {
0529         var = ngx_http_add_variable(cf, &v->name, v->flags);
0530         if (var == NULL) {
0531             return NGX_ERROR;
0532         }
0533 
0534         var->get_handler = v->get_handler;
0535         var->data = v->data;
0536     }
0537 
0538     return NGX_OK;
0539 }
0540 
0541 
0542 static void *
0543 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
0544 {
0545     ngx_http_ssl_srv_conf_t  *sscf;
0546 
0547     sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
0548     if (sscf == NULL) {
0549         return NULL;
0550     }
0551 
0552     /*
0553      * set by ngx_pcalloc():
0554      *
0555      *     sscf->protocols = 0;
0556      *     sscf->certificate_values = NULL;
0557      *     sscf->dhparam = { 0, NULL };
0558      *     sscf->ecdh_curve = { 0, NULL };
0559      *     sscf->client_certificate = { 0, NULL };
0560      *     sscf->trusted_certificate = { 0, NULL };
0561      *     sscf->crl = { 0, NULL };
0562      *     sscf->ciphers = { 0, NULL };
0563      *     sscf->shm_zone = NULL;
0564      *     sscf->stapling_file = { 0, NULL };
0565      *     sscf->stapling_responder = { 0, NULL };
0566      */
0567 
0568     sscf->enable = NGX_CONF_UNSET;
0569     sscf->prefer_server_ciphers = NGX_CONF_UNSET;
0570     sscf->early_data = NGX_CONF_UNSET;
0571     sscf->buffer_size = NGX_CONF_UNSET_SIZE;
0572     sscf->verify = NGX_CONF_UNSET_UINT;
0573     sscf->verify_depth = NGX_CONF_UNSET_UINT;
0574     sscf->certificates = NGX_CONF_UNSET_PTR;
0575     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
0576     sscf->passwords = NGX_CONF_UNSET_PTR;
0577     sscf->builtin_session_cache = NGX_CONF_UNSET;
0578     sscf->session_timeout = NGX_CONF_UNSET;
0579     sscf->session_tickets = NGX_CONF_UNSET;
0580     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
0581     sscf->stapling = NGX_CONF_UNSET;
0582     sscf->stapling_verify = NGX_CONF_UNSET;
0583 
0584     return sscf;
0585 }
0586 
0587 
0588 static char *
0589 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
0590 {
0591     ngx_http_ssl_srv_conf_t *prev = parent;
0592     ngx_http_ssl_srv_conf_t *conf = child;
0593 
0594     ngx_pool_cleanup_t  *cln;
0595 
0596     if (conf->enable == NGX_CONF_UNSET) {
0597         if (prev->enable == NGX_CONF_UNSET) {
0598             conf->enable = 0;
0599 
0600         } else {
0601             conf->enable = prev->enable;
0602             conf->file = prev->file;
0603             conf->line = prev->line;
0604         }
0605     }
0606 
0607     ngx_conf_merge_value(conf->session_timeout,
0608                          prev->session_timeout, 300);
0609 
0610     ngx_conf_merge_value(conf->prefer_server_ciphers,
0611                          prev->prefer_server_ciphers, 0);
0612 
0613     ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
0614 
0615     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
0616                          (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
0617                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
0618 
0619     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
0620                          NGX_SSL_BUFSIZE);
0621 
0622     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
0623     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
0624 
0625     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
0626     ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
0627                          NULL);
0628 
0629     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
0630 
0631     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
0632 
0633     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
0634                          "");
0635     ngx_conf_merge_str_value(conf->trusted_certificate,
0636                          prev->trusted_certificate, "");
0637     ngx_conf_merge_str_value(conf->crl, prev->crl, "");
0638 
0639     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
0640                          NGX_DEFAULT_ECDH_CURVE);
0641 
0642     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
0643 
0644     ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
0645     ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
0646     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
0647     ngx_conf_merge_str_value(conf->stapling_responder,
0648                          prev->stapling_responder, "");
0649 
0650     conf->ssl.log = cf->log;
0651 
0652     if (conf->enable) {
0653 
0654         if (conf->certificates == NULL) {
0655             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0656                           "no \"ssl_certificate\" is defined for "
0657                           "the \"ssl\" directive in %s:%ui",
0658                           conf->file, conf->line);
0659             return NGX_CONF_ERROR;
0660         }
0661 
0662         if (conf->certificate_keys == NULL) {
0663             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0664                           "no \"ssl_certificate_key\" is defined for "
0665                           "the \"ssl\" directive in %s:%ui",
0666                           conf->file, conf->line);
0667             return NGX_CONF_ERROR;
0668         }
0669 
0670         if (conf->certificate_keys->nelts < conf->certificates->nelts) {
0671             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0672                           "no \"ssl_certificate_key\" is defined "
0673                           "for certificate \"%V\" and "
0674                           "the \"ssl\" directive in %s:%ui",
0675                           ((ngx_str_t *) conf->certificates->elts)
0676                           + conf->certificates->nelts - 1,
0677                           conf->file, conf->line);
0678             return NGX_CONF_ERROR;
0679         }
0680 
0681     } else {
0682 
0683         if (conf->certificates == NULL) {
0684             return NGX_CONF_OK;
0685         }
0686 
0687         if (conf->certificate_keys == NULL
0688             || conf->certificate_keys->nelts < conf->certificates->nelts)
0689         {
0690             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0691                           "no \"ssl_certificate_key\" is defined "
0692                           "for certificate \"%V\"",
0693                           ((ngx_str_t *) conf->certificates->elts)
0694                           + conf->certificates->nelts - 1);
0695             return NGX_CONF_ERROR;
0696         }
0697     }
0698 
0699     if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
0700         return NGX_CONF_ERROR;
0701     }
0702 
0703     cln = ngx_pool_cleanup_add(cf->pool, 0);
0704     if (cln == NULL) {
0705         ngx_ssl_cleanup_ctx(&conf->ssl);
0706         return NGX_CONF_ERROR;
0707     }
0708 
0709     cln->handler = ngx_ssl_cleanup_ctx;
0710     cln->data = &conf->ssl;
0711 
0712 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
0713 
0714     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
0715                                                ngx_http_ssl_servername)
0716         == 0)
0717     {
0718         ngx_log_error(NGX_LOG_WARN, cf->log, 0,
0719             "nginx was built with SNI support, however, now it is linked "
0720             "dynamically to an OpenSSL library which has no tlsext support, "
0721             "therefore SNI is not available");
0722     }
0723 
0724 #endif
0725 
0726 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
0727     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
0728 #endif
0729 
0730 #ifdef TLSEXT_TYPE_next_proto_neg
0731     SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
0732                                           ngx_http_ssl_npn_advertised, NULL);
0733 #endif
0734 
0735     if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
0736         return NGX_CONF_ERROR;
0737     }
0738 
0739     if (conf->certificate_values) {
0740 
0741 #ifdef SSL_R_CERT_CB_ERROR
0742 
0743         /* install callback to lookup certificates */
0744 
0745         SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);
0746 
0747 #else
0748         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0749                       "variables in "
0750                       "\"ssl_certificate\" and \"ssl_certificate_key\" "
0751                       "directives are not supported on this platform");
0752         return NGX_CONF_ERROR;
0753 #endif
0754 
0755     } else {
0756 
0757         /* configure certificates */
0758 
0759         if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
0760                                  conf->certificate_keys, conf->passwords)
0761             != NGX_OK)
0762         {
0763             return NGX_CONF_ERROR;
0764         }
0765     }
0766 
0767     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
0768                         conf->prefer_server_ciphers)
0769         != NGX_OK)
0770     {
0771         return NGX_CONF_ERROR;
0772     }
0773 
0774     conf->ssl.buffer_size = conf->buffer_size;
0775 
0776     if (conf->verify) {
0777 
0778         if (conf->client_certificate.len == 0 && conf->verify != 3) {
0779             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
0780                           "no ssl_client_certificate for ssl_client_verify");
0781             return NGX_CONF_ERROR;
0782         }
0783 
0784         if (ngx_ssl_client_certificate(cf, &conf->ssl,
0785                                        &conf->client_certificate,
0786                                        conf->verify_depth)
0787             != NGX_OK)
0788         {
0789             return NGX_CONF_ERROR;
0790         }
0791     }
0792 
0793     if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
0794                                     &conf->trusted_certificate,
0795                                     conf->verify_depth)
0796         != NGX_OK)
0797     {
0798         return NGX_CONF_ERROR;
0799     }
0800 
0801     if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
0802         return NGX_CONF_ERROR;
0803     }
0804 
0805     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
0806         return NGX_CONF_ERROR;
0807     }
0808 
0809     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
0810         return NGX_CONF_ERROR;
0811     }
0812 
0813     ngx_conf_merge_value(conf->builtin_session_cache,
0814                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
0815 
0816     if (conf->shm_zone == NULL) {
0817         conf->shm_zone = prev->shm_zone;
0818     }
0819 
0820     if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
0821                               conf->certificates, conf->builtin_session_cache,
0822                               conf->shm_zone, conf->session_timeout)
0823         != NGX_OK)
0824     {
0825         return NGX_CONF_ERROR;
0826     }
0827 
0828     ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);
0829 
0830 #ifdef SSL_OP_NO_TICKET
0831     if (!conf->session_tickets) {
0832         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
0833     }
0834 #endif
0835 
0836     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
0837                          prev->session_ticket_keys, NULL);
0838 
0839     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
0840         != NGX_OK)
0841     {
0842         return NGX_CONF_ERROR;
0843     }
0844 
0845     if (conf->stapling) {
0846 
0847         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
0848                              &conf->stapling_responder, conf->stapling_verify)
0849             != NGX_OK)
0850         {
0851             return NGX_CONF_ERROR;
0852         }
0853 
0854     }
0855 
0856     if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
0857         return NGX_CONF_ERROR;
0858     }
0859 
0860     return NGX_CONF_OK;
0861 }
0862 
0863 
0864 static ngx_int_t
0865 ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
0866     ngx_http_ssl_srv_conf_t *conf)
0867 {
0868     ngx_str_t                         *cert, *key;
0869     ngx_uint_t                         i, nelts;
0870     ngx_http_complex_value_t          *cv;
0871     ngx_http_compile_complex_value_t   ccv;
0872 
0873     cert = conf->certificates->elts;
0874     key = conf->certificate_keys->elts;
0875     nelts = conf->certificates->nelts;
0876 
0877     for (i = 0; i < nelts; i++) {
0878 
0879         if (ngx_http_script_variables_count(&cert[i])) {
0880             goto found;
0881         }
0882 
0883         if (ngx_http_script_variables_count(&key[i])) {
0884             goto found;
0885         }
0886     }
0887 
0888     return NGX_OK;
0889 
0890 found:
0891 
0892     conf->certificate_values = ngx_array_create(cf->pool, nelts,
0893                                              sizeof(ngx_http_complex_value_t));
0894     if (conf->certificate_values == NULL) {
0895         return NGX_ERROR;
0896     }
0897 
0898     conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
0899                                              sizeof(ngx_http_complex_value_t));
0900     if (conf->certificate_key_values == NULL) {
0901         return NGX_ERROR;
0902     }
0903 
0904     for (i = 0; i < nelts; i++) {
0905 
0906         cv = ngx_array_push(conf->certificate_values);
0907         if (cv == NULL) {
0908             return NGX_ERROR;
0909         }
0910 
0911         ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
0912 
0913         ccv.cf = cf;
0914         ccv.value = &cert[i];
0915         ccv.complex_value = cv;
0916         ccv.zero = 1;
0917 
0918         if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
0919             return NGX_ERROR;
0920         }
0921 
0922         cv = ngx_array_push(conf->certificate_key_values);
0923         if (cv == NULL) {
0924             return NGX_ERROR;
0925         }
0926 
0927         ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
0928 
0929         ccv.cf = cf;
0930         ccv.value = &key[i];
0931         ccv.complex_value = cv;
0932         ccv.zero = 1;
0933 
0934         if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
0935             return NGX_ERROR;
0936         }
0937     }
0938 
0939     conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
0940     if (conf->passwords == NULL) {
0941         return NGX_ERROR;
0942     }
0943 
0944     return NGX_OK;
0945 }
0946 
0947 
0948 static char *
0949 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
0950 {
0951     ngx_http_ssl_srv_conf_t *sscf = conf;
0952 
0953     char  *rv;
0954 
0955     rv = ngx_conf_set_flag_slot(cf, cmd, conf);
0956 
0957     if (rv != NGX_CONF_OK) {
0958         return rv;
0959     }
0960 
0961     sscf->file = cf->conf_file->file.name.data;
0962     sscf->line = cf->conf_file->line;
0963 
0964     return NGX_CONF_OK;
0965 }
0966 
0967 
0968 static char *
0969 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
0970 {
0971     ngx_http_ssl_srv_conf_t *sscf = conf;
0972 
0973     ngx_str_t  *value;
0974 
0975     if (sscf->passwords != NGX_CONF_UNSET_PTR) {
0976         return "is duplicate";
0977     }
0978 
0979     value = cf->args->elts;
0980 
0981     sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
0982 
0983     if (sscf->passwords == NULL) {
0984         return NGX_CONF_ERROR;
0985     }
0986 
0987     return NGX_CONF_OK;
0988 }
0989 
0990 
0991 static char *
0992 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
0993 {
0994     ngx_http_ssl_srv_conf_t *sscf = conf;
0995 
0996     size_t       len;
0997     ngx_str_t   *value, name, size;
0998     ngx_int_t    n;
0999     ngx_uint_t   i, j;
1000 
1001     value = cf->args->elts;
1002 
1003     for (i = 1; i < cf->args->nelts; i++) {
1004 
1005         if (ngx_strcmp(value[i].data, "off") == 0) {
1006             sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
1007             continue;
1008         }
1009 
1010         if (ngx_strcmp(value[i].data, "none") == 0) {
1011             sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
1012             continue;
1013         }
1014 
1015         if (ngx_strcmp(value[i].data, "builtin") == 0) {
1016             sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
1017             continue;
1018         }
1019 
1020         if (value[i].len > sizeof("builtin:") - 1
1021             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
1022                == 0)
1023         {
1024             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
1025                          value[i].len - (sizeof("builtin:") - 1));
1026 
1027             if (n == NGX_ERROR) {
1028                 goto invalid;
1029             }
1030 
1031             sscf->builtin_session_cache = n;
1032 
1033             continue;
1034         }
1035 
1036         if (value[i].len > sizeof("shared:") - 1
1037             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
1038                == 0)
1039         {
1040             len = 0;
1041 
1042             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
1043                 if (value[i].data[j] == ':') {
1044                     break;
1045                 }
1046 
1047                 len++;
1048             }
1049 
1050             if (len == 0) {
1051                 goto invalid;
1052             }
1053 
1054             name.len = len;
1055             name.data = value[i].data + sizeof("shared:") - 1;
1056 
1057             size.len = value[i].len - j - 1;
1058             size.data = name.data + len + 1;
1059 
1060             n = ngx_parse_size(&size);
1061 
1062             if (n == NGX_ERROR) {
1063                 goto invalid;
1064             }
1065 
1066             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
1067                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1068                                    "session cache \"%V\" is too small",
1069                                    &value[i]);
1070 
1071                 return NGX_CONF_ERROR;
1072             }
1073 
1074             sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
1075                                                    &ngx_http_ssl_module);
1076             if (sscf->shm_zone == NULL) {
1077                 return NGX_CONF_ERROR;
1078             }
1079 
1080             sscf->shm_zone->init = ngx_ssl_session_cache_init;
1081 
1082             continue;
1083         }
1084 
1085         goto invalid;
1086     }
1087 
1088     if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
1089         sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
1090     }
1091 
1092     return NGX_CONF_OK;
1093 
1094 invalid:
1095 
1096     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1097                        "invalid session cache \"%V\"", &value[i]);
1098 
1099     return NGX_CONF_ERROR;
1100 }
1101 
1102 
1103 static ngx_int_t
1104 ngx_http_ssl_init(ngx_conf_t *cf)
1105 {
1106     ngx_uint_t                   a, p, s;
1107     ngx_http_conf_addr_t        *addr;
1108     ngx_http_conf_port_t        *port;
1109     ngx_http_ssl_srv_conf_t     *sscf;
1110     ngx_http_core_loc_conf_t    *clcf;
1111     ngx_http_core_srv_conf_t   **cscfp, *cscf;
1112     ngx_http_core_main_conf_t   *cmcf;
1113 
1114     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
1115     cscfp = cmcf->servers.elts;
1116 
1117     for (s = 0; s < cmcf->servers.nelts; s++) {
1118 
1119         sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
1120 
1121         if (sscf->ssl.ctx == NULL || !sscf->stapling) {
1122             continue;
1123         }
1124 
1125         clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
1126 
1127         if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
1128                                       clcf->resolver_timeout)
1129             != NGX_OK)
1130         {
1131             return NGX_ERROR;
1132         }
1133     }
1134 
1135     if (cmcf->ports == NULL) {
1136         return NGX_OK;
1137     }
1138 
1139     port = cmcf->ports->elts;
1140     for (p = 0; p < cmcf->ports->nelts; p++) {
1141 
1142         addr = port[p].addrs.elts;
1143         for (a = 0; a < port[p].addrs.nelts; a++) {
1144 
1145             if (!addr[a].opt.ssl) {
1146                 continue;
1147             }
1148 
1149             cscf = addr[a].default_server;
1150             sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
1151 
1152             if (sscf->certificates == NULL) {
1153                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
1154                               "no \"ssl_certificate\" is defined for "
1155                               "the \"listen ... ssl\" directive in %s:%ui",
1156                               cscf->file_name, cscf->line);
1157                 return NGX_ERROR;
1158             }
1159         }
1160     }
1161 
1162     return NGX_OK;
1163 }