SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.

In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so conditional compilation test on it results in SSL_clear_options() and SSL_CTX_clear_options() not being used. Notably, this caused "ssl_prefer_server_ciphers off" to not work in SNI-based virtual servers if server preference was switched on in the default server. It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER explicitly.
author: Maxim Dounin <mdounin@mdounin.ru> 2018-07-16 17:47:20 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2018-07-16 17:47:20 +0300
commit: f7dd520ba55bf5af871c40aa87a22c5255c6f754 (patch)
tree: 4195e2af8d04638f044973692db2018fb4dd0eff /src/http
parent: 1ef51847ca4b9c548c68abee801e2ea8047e80a3 (diff)
download: nginx-f7dd520ba55bf5af871c40aa87a22c5255c6f754.tar.gz
nginx-f7dd520ba55bf5af871c40aa87a22c5255c6f754.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 2db7a6279..c88c2710b 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -923,7 +923,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
 
         SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
 
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
         /* only in 0.9.8m+ */
         SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
                                     ~SSL_CTX_get_options(sscf->ssl.ctx));
author	Maxim Dounin <mdounin@mdounin.ru>	2018-07-16 17:47:20 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2018-07-16 17:47:20 +0300
commit	f7dd520ba55bf5af871c40aa87a22c5255c6f754 (patch)
tree	4195e2af8d04638f044973692db2018fb4dd0eff /src/http
parent	1ef51847ca4b9c548c68abee801e2ea8047e80a3 (diff)
download	nginx-f7dd520ba55bf5af871c40aa87a22c5255c6f754.tar.gz nginx-f7dd520ba55bf5af871c40aa87a22c5255c6f754.tar.bz2