Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

SSL: $ssl_ciphers (ticket #870).

Browse source 
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
This commit is contained in:
Maxim Dounin 2016-12-05 22:23:23 +03:00
parent db21612f0d
commit 81b3808de2
4 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
src/event/ngx_event_openssl.c
View file

@ -3293,6 +3293,90 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
}
ngx_int_t
ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
#ifdef SSL_CTRL_GET_RAW_CIPHERLIST
int n, i, bytes;
size_t len;
u_char *ciphers, *p;
const SSL_CIPHER *cipher;
bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL);
n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers);
if (n <= 0) {
s->len = 0;
return NGX_OK;
}
len = 0;
n /= bytes;
for (i = 0; i < n; i++) {
cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
if (cipher) {
len += ngx_strlen(SSL_CIPHER_get_name(cipher));
} else {
len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1);
}
len += sizeof(":") - 1;
}
s->data = ngx_pnalloc(pool, len);
if (s->data == NULL) {
return NGX_ERROR;
}
p = s->data;
for (i = 0; i < n; i++) {
cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
if (cipher) {
p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher));
} else {
p = ngx_sprintf(p, "0x");
p = ngx_hex_dump(p, ciphers + i * bytes, bytes);
}
*p++ = ':';
}
p--;
s->len = p - s->data;
#else
u_char buf[4096];
if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096)
== NULL)
{
s->len = 0;
return NGX_OK;
}
s->len = ngx_strlen(buf);
s->data = ngx_pnalloc(pool, s->len);
if (s->data == NULL) {
return NGX_ERROR;
}
ngx_memcpy(s->data, buf, s->len);
#endif
return NGX_OK;
}
ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{

2
src/event/ngx_event_openssl.h
View file

@ -191,6 +191,8 @@ ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,

3
src/http/modules/ngx_http_ssl_module.c
View file

@ -276,6 +276,9 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
{ ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

3
src/stream/ngx_stream_ssl_module.c
View file

@ -182,6 +182,9 @@ static ngx_stream_variable_t ngx_stream_ssl_vars[] = {
{ ngx_string("ssl_cipher"), NULL, ngx_stream_ssl_static_variable,
(uintptr_t) ngx_ssl_get_cipher_name, NGX_STREAM_VAR_CHANGEABLE, 0 },
{ ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 },
{ ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },