details: http://hg.nginx.org/nginx/rev/e75e854657ba
branches:
changeset: 6817:e75e854657ba
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Dec 05 22:23:23 2016 +0300
description:
SSL: $ssl_curves (ticket #1088).

The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session. As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.

diffstat:

src/event/ngx_event_openssl.c | 68 ++++++++++++++++++++++++++++++++++
src/event/ngx_event_openssl.h | 2 +
src/http/modules/ngx_http_ssl_module.c | 3 +
src/stream/ngx_stream_ssl_module.c | 3 +
4 files changed, 76 insertions(+), 0 deletions(-)

diffs (116 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3378,6 +3378,74 @@ ngx_ssl_get_ciphers(ngx_connection_t *c,


ngx_int_t
+ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+#ifdef SSL_CTRL_GET_CURVES
+
+ int *curves, n, i, nid;
+ u_char *p;
+ size_t len;
+
+ n = SSL_get1_curves(c->ssl->connection, NULL);
+
+ if (n <= 0) {
+ s->len = 0;
+ return NGX_OK;
+ }
+
+ curves = ngx_palloc(pool, n * sizeof(int));
+
+ n = SSL_get1_curves(c->ssl->connection, curves);
+ len = 0;
+
+ for (i = 0; i < n; i++) {
+ nid = curves[i];
+
+ if (nid & TLSEXT_nid_unknown) {
+ len += sizeof("0x0000") - 1;
+
+ } else {
+ len += ngx_strlen(OBJ_nid2sn(nid));
+ }
+
+ len += sizeof(":") - 1;
+ }
+
+ s->data = ngx_pnalloc(pool, len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ p = s->data;
+
+ for (i = 0; i < n; i++) {
+ nid = curves[i];
+
+ if (nid & TLSEXT_nid_unknown) {
+ p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
+
+ } else {
+ p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
+ }
+
+ *p++ = ':';
+ }
+
+ p--;
+
+ s->len = p - s->data;
+
+#else
+
+ s->len = 0;
+
+#endif
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
u_char *buf;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -193,6 +193,8 @@ ngx_int_t ngx_ssl_get_cipher_name(ngx_co
ngx_str_t *s);
ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -279,6 +279,9 @@ static ngx_http_variable_t ngx_http_ssl
{ ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -185,6 +185,9 @@ static ngx_stream_variable_t ngx_stream
{ ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel