Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7904:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 16 Aug 2021 22:40:31 +0300 |
parents | 7ce28b4cc57e |
children | 61abb35bb8cf fac88e160653 |
comparison
equal
deleted
inserted
replaced
7903:f2ddd0c491bf | 7904:419c066cb710 |
---|---|
795 #ifdef TLSEXT_TYPE_next_proto_neg | 795 #ifdef TLSEXT_TYPE_next_proto_neg |
796 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, | 796 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, |
797 ngx_http_ssl_npn_advertised, NULL); | 797 ngx_http_ssl_npn_advertised, NULL); |
798 #endif | 798 #endif |
799 | 799 |
800 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | |
801 conf->prefer_server_ciphers) | |
802 != NGX_OK) | |
803 { | |
804 return NGX_CONF_ERROR; | |
805 } | |
806 | |
800 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { | 807 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { |
801 return NGX_CONF_ERROR; | 808 return NGX_CONF_ERROR; |
802 } | 809 } |
803 | 810 |
804 if (conf->certificate_values) { | 811 if (conf->certificate_values) { |
825 conf->certificate_keys, conf->passwords) | 832 conf->certificate_keys, conf->passwords) |
826 != NGX_OK) | 833 != NGX_OK) |
827 { | 834 { |
828 return NGX_CONF_ERROR; | 835 return NGX_CONF_ERROR; |
829 } | 836 } |
830 } | |
831 | |
832 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | |
833 conf->prefer_server_ciphers) | |
834 != NGX_OK) | |
835 { | |
836 return NGX_CONF_ERROR; | |
837 } | 837 } |
838 | 838 |
839 conf->ssl.buffer_size = conf->buffer_size; | 839 conf->ssl.buffer_size = conf->buffer_size; |
840 | 840 |
841 if (conf->verify) { | 841 if (conf->verify) { |