Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 9137:0ba26c99b3a1
SSL: avoid using OpenSSL config in build directory (ticket #2404).
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself. And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.
Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 21 Jun 2023 01:29:53 +0300 |
| parents | 85abf534cead |
| children | 875cd36b8617 |
comparison
equal
deleted
inserted
replaced
| 9136:85abf534cead | 9137:0ba26c99b3a1 |
|---|---|
| 140 ngx_int_t | 140 ngx_int_t |
| 141 ngx_ssl_init(ngx_log_t *log) | 141 ngx_ssl_init(ngx_log_t *log) |
| 142 { | 142 { |
| 143 #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) | 143 #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) |
| 144 | 144 |
| 145 uint64_t opts; | |
| 145 OPENSSL_INIT_SETTINGS *init; | 146 OPENSSL_INIT_SETTINGS *init; |
| 147 | |
| 148 opts = OPENSSL_INIT_LOAD_CONFIG; | |
| 149 | |
| 150 #if (NGX_OPENSSL_NO_CONFIG) | |
| 151 | |
| 152 if (getenv("OPENSSL_CONF") == NULL) { | |
| 153 opts = OPENSSL_INIT_NO_LOAD_CONFIG; | |
| 154 } | |
| 155 | |
| 156 #endif | |
| 146 | 157 |
| 147 init = OPENSSL_INIT_new(); | 158 init = OPENSSL_INIT_new(); |
| 148 if (init == NULL) { | 159 if (init == NULL) { |
| 149 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); | 160 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); |
| 150 return NGX_ERROR; | 161 return NGX_ERROR; |
| 156 "OPENSSL_INIT_set_config_appname() failed"); | 167 "OPENSSL_INIT_set_config_appname() failed"); |
| 157 return NGX_ERROR; | 168 return NGX_ERROR; |
| 158 } | 169 } |
| 159 #endif | 170 #endif |
| 160 | 171 |
| 161 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) { | 172 if (OPENSSL_init_ssl(opts, init) == 0) { |
| 162 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); | 173 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
| 163 return NGX_ERROR; | 174 return NGX_ERROR; |
| 164 } | 175 } |
| 165 | 176 |
| 166 OPENSSL_INIT_free(init); | 177 OPENSSL_INIT_free(init); |
| 171 */ | 182 */ |
| 172 | 183 |
| 173 ERR_clear_error(); | 184 ERR_clear_error(); |
| 174 | 185 |
| 175 #else | 186 #else |
| 187 | |
| 188 #if (NGX_OPENSSL_NO_CONFIG) | |
| 189 | |
| 190 if (getenv("OPENSSL_CONF") == NULL) { | |
| 191 OPENSSL_no_config(); | |
| 192 } | |
| 193 | |
| 194 #endif | |
| 176 | 195 |
| 177 OPENSSL_config("nginx"); | 196 OPENSSL_config("nginx"); |
| 178 | 197 |
| 179 SSL_library_init(); | 198 SSL_library_init(); |
| 180 SSL_load_error_strings(); | 199 SSL_load_error_strings(); |