mirror of
https://github.com/nginx/nginx.git
synced 2025-01-19 01:42:58 +08:00
SSL: ngx_ssl_ciphers() to set list of ciphers.
This patch moves various OpenSSL-specific function calls into the OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more crypto-library-agnostic.
This commit is contained in:
parent
6e38998bac
commit
4f578bfcab
@ -591,6 +591,30 @@ ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
|
||||||
|
ngx_uint_t prefer_server_ciphers)
|
||||||
|
{
|
||||||
|
if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
|
||||||
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||||
|
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
||||||
|
ciphers);
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (prefer_server_ciphers) {
|
||||||
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
|
}
|
||||||
|
|
||||||
|
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
||||||
|
/* a temporary 512-bit RSA key is required for export versions of MSIE */
|
||||||
|
SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||||
ngx_int_t depth)
|
ngx_int_t depth)
|
||||||
|
@ -144,6 +144,8 @@ ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
|||||||
ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
|
ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
|
||||||
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
|
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
|
||||||
|
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
|
||||||
|
ngx_uint_t prefer_server_ciphers);
|
||||||
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
ngx_str_t *cert, ngx_int_t depth);
|
ngx_str_t *cert, ngx_int_t depth);
|
||||||
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
|
@ -4323,13 +4323,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
|
if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
|
||||||
(const char *) plcf->ssl_ciphers.data)
|
!= NGX_OK)
|
||||||
== 0)
|
|
||||||
{
|
{
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&plcf->ssl_ciphers);
|
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -689,13 +689,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
|
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
|
||||||
(const char *) conf->ciphers.data)
|
conf->prefer_server_ciphers)
|
||||||
== 0)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&conf->ciphers);
|
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -730,15 +727,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (conf->prefer_server_ciphers) {
|
|
||||||
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
||||||
}
|
|
||||||
|
|
||||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
|
||||||
/* a temporary 512-bit RSA key is required for export versions of MSIE */
|
|
||||||
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
@ -2325,13 +2325,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
|
if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
|
||||||
(const char *) uwcf->ssl_ciphers.data)
|
!= NGX_OK)
|
||||||
== 0)
|
|
||||||
{
|
{
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&uwcf->ssl_ciphers);
|
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -422,24 +422,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
|
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
|
||||||
(const char *) conf->ciphers.data)
|
conf->prefer_server_ciphers)
|
||||||
== 0)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&conf->ciphers);
|
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (conf->prefer_server_ciphers) {
|
|
||||||
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
||||||
}
|
|
||||||
|
|
||||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
|
||||||
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
@ -1640,13 +1640,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(pscf->ssl->ctx,
|
if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
|
||||||
(const char *) pscf->ssl_ciphers.data)
|
|
||||||
== 0)
|
|
||||||
{
|
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&pscf->ssl_ciphers);
|
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -266,24 +266,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
|
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
|
||||||
(const char *) conf->ciphers.data)
|
conf->prefer_server_ciphers)
|
||||||
== 0)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
|
|
||||||
"SSL_CTX_set_cipher_list(\"%V\") failed",
|
|
||||||
&conf->ciphers);
|
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (conf->prefer_server_ciphers) {
|
|
||||||
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
||||||
}
|
|
||||||
|
|
||||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
|
||||||
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user