Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl.c @ 4446:fd40c9ef750d stable-1.0
Merge of r4401, r4415:
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 05 Feb 2012 19:15:09 +0000 |
parents | 8d39230df833 |
children | 4919fb357a5d |
comparison
equal
deleted
inserted
replaced
4445:50445a6d469e | 4446:fd40c9ef750d |
---|---|
76 ngx_openssl_exit, /* exit master */ | 76 ngx_openssl_exit, /* exit master */ |
77 NGX_MODULE_V1_PADDING | 77 NGX_MODULE_V1_PADDING |
78 }; | 78 }; |
79 | 79 |
80 | 80 |
81 static long ngx_ssl_protocols[] = { | |
82 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
83 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
84 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, | |
85 SSL_OP_NO_TLSv1, | |
86 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, | |
87 SSL_OP_NO_SSLv3, | |
88 SSL_OP_NO_SSLv2, | |
89 0, | |
90 }; | |
91 | |
92 | |
93 int ngx_ssl_connection_index; | 81 int ngx_ssl_connection_index; |
94 int ngx_ssl_server_conf_index; | 82 int ngx_ssl_server_conf_index; |
95 int ngx_ssl_session_cache_index; | 83 int ngx_ssl_session_cache_index; |
96 | 84 |
97 | 85 |
100 { | 88 { |
101 OPENSSL_config(NULL); | 89 OPENSSL_config(NULL); |
102 | 90 |
103 SSL_library_init(); | 91 SSL_library_init(); |
104 SSL_load_error_strings(); | 92 SSL_load_error_strings(); |
105 | |
106 ENGINE_load_builtin_engines(); | |
107 | 93 |
108 OpenSSL_add_all_algorithms(); | 94 OpenSSL_add_all_algorithms(); |
109 | 95 |
110 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | 96 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
111 | 97 |
169 | 155 |
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | 156 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
171 | 157 |
172 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); | 158 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
173 | 159 |
174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 160 if (!(protocols & NGX_SSL_SSLv2)) { |
175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 161 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
176 } | 162 } |
163 if (!(protocols & NGX_SSL_SSLv3)) { | |
164 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); | |
165 } | |
166 if (!(protocols & NGX_SSL_TLSv1)) { | |
167 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); | |
168 } | |
169 #ifdef SSL_OP_NO_TLSv1_1 | |
170 if (!(protocols & NGX_SSL_TLSv1_1)) { | |
171 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); | |
172 } | |
173 #endif | |
174 #ifdef SSL_OP_NO_TLSv1_2 | |
175 if (!(protocols & NGX_SSL_TLSv1_2)) { | |
176 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); | |
177 } | |
178 #endif | |
177 | 179 |
178 #ifdef SSL_OP_NO_COMPRESSION | 180 #ifdef SSL_OP_NO_COMPRESSION |
179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); | 181 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
180 #endif | 182 #endif |
181 | 183 |