Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_grpc_module.c @ 8578:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 16 Aug 2021 22:40:31 +0300 |
parents | 41f4bd4c51f1 |
children | 336084ff943b |
comparison
equal
deleted
inserted
replaced
8577:f2ddd0c491bf | 8578:419c066cb710 |
---|---|
4894 } | 4894 } |
4895 | 4895 |
4896 cln->handler = ngx_ssl_cleanup_ctx; | 4896 cln->handler = ngx_ssl_cleanup_ctx; |
4897 cln->data = glcf->upstream.ssl; | 4897 cln->data = glcf->upstream.ssl; |
4898 | 4898 |
4899 if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0) | |
4900 != NGX_OK) | |
4901 { | |
4902 return NGX_ERROR; | |
4903 } | |
4904 | |
4899 if (glcf->upstream.ssl_certificate) { | 4905 if (glcf->upstream.ssl_certificate) { |
4900 | 4906 |
4901 if (glcf->upstream.ssl_certificate_key == NULL) { | 4907 if (glcf->upstream.ssl_certificate_key == NULL) { |
4902 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 4908 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
4903 "no \"grpc_ssl_certificate_key\" is defined " | 4909 "no \"grpc_ssl_certificate_key\" is defined " |
4925 return NGX_ERROR; | 4931 return NGX_ERROR; |
4926 } | 4932 } |
4927 } | 4933 } |
4928 } | 4934 } |
4929 | 4935 |
4930 if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0) | |
4931 != NGX_OK) | |
4932 { | |
4933 return NGX_ERROR; | |
4934 } | |
4935 | |
4936 if (glcf->upstream.ssl_verify) { | 4936 if (glcf->upstream.ssl_verify) { |
4937 if (glcf->ssl_trusted_certificate.len == 0) { | 4937 if (glcf->ssl_trusted_certificate.len == 0) { |
4938 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 4938 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
4939 "no grpc_ssl_trusted_certificate for grpc_ssl_verify"); | 4939 "no grpc_ssl_trusted_certificate for grpc_ssl_verify"); |
4940 return NGX_ERROR; | 4940 return NGX_ERROR; |