Mercurial > hg > nginx-vendor-1-0
diff src/event/ngx_event_openssl.c @ 644:ad25218fd14b NGINX_1_0_12
nginx 1.0.12
*) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the
"ssl_protocols" directive.
*) Feature: the "if" SSI command supports captures in regular
expressions.
*) Bugfix: the "if" SSI command did not work inside the "block" command.
*) Bugfix: in AIO error handling on FreeBSD.
*) Bugfix: in the OpenSSL library initialization.
*) Bugfix: the "worker_cpu_affinity" directive might not work.
*) Bugfix: the "limit_conn_log_level" and "limit_req_log_level"
directives might not work.
*) Bugfix: the "read_ahead" directive might not work combined with
"try_files" and "open_file_cache".
*) Bugfix: the "proxy_cache_use_stale" directive with "error" parameter
did not return answer from cache if there were no live upstreams.
*) Bugfix: a segmentation fault might occur in a worker process if small
time was used in the "inactive" parameter of the "proxy_cache_path"
directive.
*) Bugfix: responses from cache might hang.
*) Bugfix: in error handling while connecting to a backend.
Thanks to Piotr Sikora.
*) Bugfix: in the "epoll" event method.
Thanks to Yichun Zhang.
*) Bugfix: the $sent_http_cache_control variable might contain a wrong
value if the "expires" directive was used.
Thanks to Yichun Zhang.
*) Bugfix: the "limit_rate" directive did not allow to use full
throughput, even if limit value was very high.
*) Bugfix: the "sendfile_max_chunk" directive did not work, if the
"limit_rate" directive was used.
*) Bugfix: nginx could not be built on Solaris; the bug had appeared in
1.0.11.
*) Bugfix: in the ngx_http_scgi_module.
*) Bugfix: in the ngx_http_mp4_module.
| author | Igor Sysoev <http://sysoev.ru> |
|---|---|
| date | Mon, 06 Feb 2012 00:00:00 +0400 |
| parents | 692f4d4d7f10 |
| children | 09a689c5e494 |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1,6 +1,7 @@ /* * Copyright (C) Igor Sysoev + * Copyright (C) Nginx, Inc. */ @@ -78,18 +79,6 @@ ngx_module_t ngx_openssl_module = { }; -static long ngx_ssl_protocols[] = { - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, - SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv2, - 0, -}; - - int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; @@ -103,8 +92,6 @@ ngx_ssl_init(ngx_log_t *log) SSL_library_init(); SSL_load_error_strings(); - ENGINE_load_builtin_engines(); - OpenSSL_add_all_algorithms(); ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); @@ -171,9 +158,25 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - if (ngx_ssl_protocols[protocols >> 1] != 0) { - SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); + if (!(protocols & NGX_SSL_SSLv2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); + } + if (!(protocols & NGX_SSL_SSLv3)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); + } + if (!(protocols & NGX_SSL_TLSv1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); } +#ifdef SSL_OP_NO_TLSv1_1 + if (!(protocols & NGX_SSL_TLSv1_1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (!(protocols & NGX_SSL_TLSv1_2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); + } +#endif #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);