Mercurial > hg > nginx

comparison src/stream/ngx_stream_ssl_module.c @ 7904:419c066cb710

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: ciphers now set before loading certificates (ticket #2035). To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 16 Aug 2021 22:40:31 +0300
parents 7ce28b4cc57e
children eb6c77e6d55d a550d4fa3581
comparison
equal deleted inserted replaced
7903:f2ddd0c491bf 7904:419c066cb710
718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, 719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
720 ngx_stream_ssl_servername); 720 ngx_stream_ssl_servername);
721 #endif 721 #endif
722 722
723 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
724 conf->prefer_server_ciphers)
725 != NGX_OK)
726 {
727 return NGX_CONF_ERROR;
728 }
729
723 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { 730 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
724 return NGX_CONF_ERROR; 731 return NGX_CONF_ERROR;
725 } 732 }
726 733
727 if (conf->certificate_values) { 734 if (conf->certificate_values) {
748 conf->certificate_keys, conf->passwords) 755 conf->certificate_keys, conf->passwords)
749 != NGX_OK) 756 != NGX_OK)
750 { 757 {
751 return NGX_CONF_ERROR; 758 return NGX_CONF_ERROR;
752 } 759 }
753 }
754
755 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
756 conf->prefer_server_ciphers)
757 != NGX_OK)
758 {
759 return NGX_CONF_ERROR;
760 } 760 }
761 761
762 if (conf->verify) { 762 if (conf->verify) {
763 763
764 if (conf->client_certificate.len == 0 && conf->verify != 3) { 764 if (conf->client_certificate.len == 0 && conf->verify != 3) {