Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 9137:0ba26c99b3a1
SSL: avoid using OpenSSL config in build directory (ticket #2404).
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself. And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.
Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 21 Jun 2023 01:29:53 +0300 |
parents | 85abf534cead |
children | 875cd36b8617 |
comparison
equal
deleted
inserted
replaced
9136:85abf534cead | 9137:0ba26c99b3a1 |
---|---|
140 ngx_int_t | 140 ngx_int_t |
141 ngx_ssl_init(ngx_log_t *log) | 141 ngx_ssl_init(ngx_log_t *log) |
142 { | 142 { |
143 #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) | 143 #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) |
144 | 144 |
145 uint64_t opts; | |
145 OPENSSL_INIT_SETTINGS *init; | 146 OPENSSL_INIT_SETTINGS *init; |
147 | |
148 opts = OPENSSL_INIT_LOAD_CONFIG; | |
149 | |
150 #if (NGX_OPENSSL_NO_CONFIG) | |
151 | |
152 if (getenv("OPENSSL_CONF") == NULL) { | |
153 opts = OPENSSL_INIT_NO_LOAD_CONFIG; | |
154 } | |
155 | |
156 #endif | |
146 | 157 |
147 init = OPENSSL_INIT_new(); | 158 init = OPENSSL_INIT_new(); |
148 if (init == NULL) { | 159 if (init == NULL) { |
149 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); | 160 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); |
150 return NGX_ERROR; | 161 return NGX_ERROR; |
156 "OPENSSL_INIT_set_config_appname() failed"); | 167 "OPENSSL_INIT_set_config_appname() failed"); |
157 return NGX_ERROR; | 168 return NGX_ERROR; |
158 } | 169 } |
159 #endif | 170 #endif |
160 | 171 |
161 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) { | 172 if (OPENSSL_init_ssl(opts, init) == 0) { |
162 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); | 173 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
163 return NGX_ERROR; | 174 return NGX_ERROR; |
164 } | 175 } |
165 | 176 |
166 OPENSSL_INIT_free(init); | 177 OPENSSL_INIT_free(init); |
171 */ | 182 */ |
172 | 183 |
173 ERR_clear_error(); | 184 ERR_clear_error(); |
174 | 185 |
175 #else | 186 #else |
187 | |
188 #if (NGX_OPENSSL_NO_CONFIG) | |
189 | |
190 if (getenv("OPENSSL_CONF") == NULL) { | |
191 OPENSSL_no_config(); | |
192 } | |
193 | |
194 #endif | |
176 | 195 |
177 OPENSSL_config("nginx"); | 196 OPENSSL_config("nginx"); |
178 | 197 |
179 SSL_library_init(); | 198 SSL_library_init(); |
180 SSL_load_error_strings(); | 199 SSL_load_error_strings(); |