Mercurial > hg > nginx-quic
annotate auto/lib/openssl/make @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 18 Apr 2017 16:08:44 +0300 |
| parents | 09d5a22c76bd |
| children | b329c0ab1a48 |
| rev | line source |
|---|---|
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
|
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
| 4412 | 3 # Copyright (C) Nginx, Inc. |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
4 |
| 583 | 5 |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
6 case "$CC" in |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
7 |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
8 cl) |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
9 |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
10 cat << END >> $NGX_MAKEFILE |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
11 |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
12 $OPENSSL/openssl/include/openssl/ssl.h: $NGX_MAKEFILE |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
13 \$(MAKE) -f auto/lib/openssl/makefile.msvc \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
14 OPENSSL="$OPENSSL" OPENSSL_OPT="$OPENSSL_OPT" |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
15 |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
16 END |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
17 |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
18 ;; |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
19 |
|
2897
d5d3fe7197cc
*) use no-threads for Unix builds only
Igor Sysoev <igor@sysoev.ru>
parents:
2879
diff
changeset
|
20 bcc32) |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
21 |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
22 ngx_opt=`echo "-DOPENSSL=\"$OPENSSL\" -DOPENSSL_OPT=\"$OPENSSL_OPT\"" \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
23 | sed -e "s/\//$ngx_regex_dirsep/g"` |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
24 |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
25 cat << END >> $NGX_MAKEFILE |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
26 |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
27 `echo "$OPENSSL\\openssl\\lib\\libeay32.lib: \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
28 $OPENSSL\\openssl\\include\\openssl\\ssl.h" \ |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
29 | sed -e "s/\//$ngx_regex_dirsep/g"` |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
30 |
|
2846
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
31 `echo "$OPENSSL\\openssl\\lib\\ssleay32.lib: \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
32 $OPENSSL\\openssl\\include\\openssl\\ssl.h" \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
33 | sed -e "s/\//$ngx_regex_dirsep/g"` |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
34 |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
35 `echo "$OPENSSL\\openssl\\include\\openssl\\ssl.h: $NGX_MAKEFILE" \ |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
36 | sed -e "s/\//$ngx_regex_dirsep/g"` |
|
dfec0e090265
fix building OpenSSL on Win32
Igor Sysoev <igor@sysoev.ru>
parents:
2838
diff
changeset
|
37 \$(MAKE) -f auto/lib/openssl/makefile.bcc $ngx_opt |
|
2712
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
38 |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
39 END |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
40 |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
41 ;; |
|
41f993457021
OpenSSL building by MSVC and BCC from sources
Igor Sysoev <igor@sysoev.ru>
parents:
1005
diff
changeset
|
42 |
|
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
43 *) |
|
2897
d5d3fe7197cc
*) use no-threads for Unix builds only
Igor Sysoev <igor@sysoev.ru>
parents:
2879
diff
changeset
|
44 case $OPENSSL in |
|
3168
83c940b0d18a
allow "make clean" for OpenSSL, the bug was introduced in r2874
Igor Sysoev <igor@sysoev.ru>
parents:
2897
diff
changeset
|
45 /*) ngx_prefix="$OPENSSL/.openssl" ;; |
|
83c940b0d18a
allow "make clean" for OpenSSL, the bug was introduced in r2874
Igor Sysoev <igor@sysoev.ru>
parents:
2897
diff
changeset
|
46 *) ngx_prefix="$PWD/$OPENSSL/.openssl" ;; |
|
2879
824d885aa0b1
allow absolute path in --with-openssl=
Igor Sysoev <igor@sysoev.ru>
parents:
2873
diff
changeset
|
47 esac |
|
824d885aa0b1
allow absolute path in --with-openssl=
Igor Sysoev <igor@sysoev.ru>
parents:
2873
diff
changeset
|
48 |
| 501 | 49 cat << END >> $NGX_MAKEFILE |
| 50 | |
|
3168
83c940b0d18a
allow "make clean" for OpenSSL, the bug was introduced in r2874
Igor Sysoev <igor@sysoev.ru>
parents:
2897
diff
changeset
|
51 $OPENSSL/.openssl/include/openssl/ssl.h: $NGX_MAKEFILE |
| 501 | 52 cd $OPENSSL \\ |
|
5438
f817f9d1cded
Configure: call "make clean" for OpenSSL only if Makefile exists.
Piotr Sikora <piotr@cloudflare.com>
parents:
4412
diff
changeset
|
53 && if [ -f Makefile ]; then \$(MAKE) clean; fi \\ |
|
2879
824d885aa0b1
allow absolute path in --with-openssl=
Igor Sysoev <igor@sysoev.ru>
parents:
2873
diff
changeset
|
54 && ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\ |
| 2873 | 55 && \$(MAKE) \\ |
|
6404
09d5a22c76bd
Configure: skip building OpenSSL documentation to conserve time.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6017
diff
changeset
|
56 && \$(MAKE) install_sw LIBDIR=lib |
| 501 | 57 |
| 58 END | |
| 59 | |
|
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 ;; |
|
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 |
|
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 esac |