Mercurial > hg > nginx-quic
comparison src/stream/ngx_stream_proxy_module.c @ 8578:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 16 Aug 2021 22:40:31 +0300 |
| parents | 3ab8e1e2f0f7 |
| children | bfad703459b4 |
comparison
equal
deleted
inserted
replaced
| 8577:f2ddd0c491bf | 8578:419c066cb710 |
|---|---|
| 2183 } | 2183 } |
| 2184 | 2184 |
| 2185 cln->handler = ngx_ssl_cleanup_ctx; | 2185 cln->handler = ngx_ssl_cleanup_ctx; |
| 2186 cln->data = pscf->ssl; | 2186 cln->data = pscf->ssl; |
| 2187 | 2187 |
| 2188 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { | |
| 2189 return NGX_ERROR; | |
| 2190 } | |
| 2191 | |
| 2188 if (pscf->ssl_certificate) { | 2192 if (pscf->ssl_certificate) { |
| 2189 | 2193 |
| 2190 if (pscf->ssl_certificate_key == NULL) { | 2194 if (pscf->ssl_certificate_key == NULL) { |
| 2191 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 2195 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 2192 "no \"proxy_ssl_certificate_key\" is defined " | 2196 "no \"proxy_ssl_certificate_key\" is defined " |
| 2212 != NGX_OK) | 2216 != NGX_OK) |
| 2213 { | 2217 { |
| 2214 return NGX_ERROR; | 2218 return NGX_ERROR; |
| 2215 } | 2219 } |
| 2216 } | 2220 } |
| 2217 } | |
| 2218 | |
| 2219 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { | |
| 2220 return NGX_ERROR; | |
| 2221 } | 2221 } |
| 2222 | 2222 |
| 2223 if (pscf->ssl_verify) { | 2223 if (pscf->ssl_verify) { |
| 2224 if (pscf->ssl_trusted_certificate.len == 0) { | 2224 if (pscf->ssl_trusted_certificate.len == 0) { |
| 2225 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 2225 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |