mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-01 03:17:17 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge of r4401, r4415:

Browse Source 
SSL changes:

*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.

   Support for TLSv1.1 and TLSv1.2 protocols was introduced in
   OpenSSL 1.0.1 (-beta1 was recently released).  This change makes it
   possible to disable these protocols and/or enable them without other
   protocols.

*) Removed ENGINE_load_builtin_engines() call.

   It's already called by OPENSSL_config().  Calling it again causes
   some openssl engines (notably GOST) to corrupt memory, as they don't
   expect to be created more than once.
This commit is contained in:
Maxim Dounin 2012-02-05 19:15:09 +00:00
parent 28c968a89b
commit 8bfb37e9f0
5 changed files with 34 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/event/ngx_event_openssl.c
View File

@ -78,18 +78,6 @@ ngx_module_t ngx_openssl_module = {
}; };
static long ngx_ssl_protocols[] = {
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
SSL_OP_NO_TLSv1,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
SSL_OP_NO_SSLv3,
SSL_OP_NO_SSLv2,
0,
};
int ngx_ssl_connection_index; int ngx_ssl_connection_index;
int ngx_ssl_server_conf_index; int ngx_ssl_server_conf_index;
int ngx_ssl_session_cache_index; int ngx_ssl_session_cache_index;
@ -103,8 +91,6 @@ ngx_ssl_init(ngx_log_t *log)
SSL_library_init(); SSL_library_init();
SSL_load_error_strings(); SSL_load_error_strings();
ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
@ -171,9 +157,25 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
if (ngx_ssl_protocols[protocols >> 1] != 0) { if (!(protocols & NGX_SSL_SSLv2)) {
SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
} }
if (!(protocols & NGX_SSL_SSLv3)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
}
if (!(protocols & NGX_SSL_TLSv1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
}
#ifdef SSL_OP_NO_TLSv1_1
if (!(protocols & NGX_SSL_TLSv1_1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
}
#endif
#ifdef SSL_OP_NO_TLSv1_2
if (!(protocols & NGX_SSL_TLSv1_2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
}
#endif
#ifdef SSL_OP_NO_COMPRESSION #ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);

8
src/event/ngx_event_openssl.h
View File

@ -81,9 +81,11 @@ typedef struct {
#define NGX_SSL_SSLv2 2 #define NGX_SSL_SSLv2 0x0002
#define NGX_SSL_SSLv3 4 #define NGX_SSL_SSLv3 0x0004
#define NGX_SSL_TLSv1 8 #define NGX_SSL_TLSv1 0x0008
#define NGX_SSL_TLSv1_1 0x0010
#define NGX_SSL_TLSv1_2 0x0020
#define NGX_SSL_BUFFER 1 #define NGX_SSL_BUFFER 1

4
src/http/modules/ngx_http_proxy_module.c
View File

@ -2766,7 +2766,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
plcf->upstream.ssl->log = cf->log; plcf->upstream.ssl->log = cf->log;
if (ngx_ssl_create(plcf->upstream.ssl, if (ngx_ssl_create(plcf->upstream.ssl,
NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL) NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
NULL)
!= NGX_OK) != NGX_OK)
{ {
return NGX_ERROR; return NGX_ERROR;

5
src/http/modules/ngx_http_ssl_module.c
View File

@ -37,6 +37,8 @@ static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 }, { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 }, { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 } { ngx_null_string, 0 }
}; };
@ -364,7 +366,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0); prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

5
src/mail/ngx_mail_ssl_module.c
View File

@ -37,6 +37,8 @@ static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = {
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 }, { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 }, { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 } { ngx_null_string, 0 }
}; };
@ -206,7 +208,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0); prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");