diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-02-05 19:15:09 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-02-05 19:15:09 +0000 |
| commit | 8bfb37e9f0e808483cd9754c020292a9cb35e342 (patch) | |
| tree | f1107f3e002ff53f9272e531185b0ecb3640a835 /src/event | |
| parent | 28c968a89b78e2002c9628ff6b02caaba9d3569f (diff) | |
| download | nginx-8bfb37e9f0e808483cd9754c020292a9cb35e342.tar.gz nginx-8bfb37e9f0e808483cd9754c020292a9cb35e342.tar.bz2 | |
Merge of r4401, r4415:
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
Diffstat (limited to 'src/event')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 34 | ||||
| -rw-r--r-- | src/event/ngx_event_openssl.h | 8 |
2 files changed, 23 insertions, 19 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 82936906f..109464540 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -78,18 +78,6 @@ ngx_module_t ngx_openssl_module = { }; -static long ngx_ssl_protocols[] = { - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, - SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv2, - 0, -}; - - int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; @@ -103,8 +91,6 @@ ngx_ssl_init(ngx_log_t *log) SSL_library_init(); SSL_load_error_strings(); - ENGINE_load_builtin_engines(); - OpenSSL_add_all_algorithms(); ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); @@ -171,9 +157,25 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - if (ngx_ssl_protocols[protocols >> 1] != 0) { - SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); + if (!(protocols & NGX_SSL_SSLv2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); + } + if (!(protocols & NGX_SSL_SSLv3)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); } + if (!(protocols & NGX_SSL_TLSv1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); + } +#ifdef SSL_OP_NO_TLSv1_1 + if (!(protocols & NGX_SSL_TLSv1_1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (!(protocols & NGX_SSL_TLSv1_2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); + } +#endif #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 33cab7b3c..0b5b7c8de 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -81,9 +81,11 @@ typedef struct { -#define NGX_SSL_SSLv2 2 -#define NGX_SSL_SSLv3 4 -#define NGX_SSL_TLSv1 8 +#define NGX_SSL_SSLv2 0x0002 +#define NGX_SSL_SSLv3 0x0004 +#define NGX_SSL_TLSv1 0x0008 +#define NGX_SSL_TLSv1_1 0x0010 +#define NGX_SSL_TLSv1_2 0x0020 #define NGX_SSL_BUFFER 1 |