Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7896:1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Using PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() is deprecated
as part of deprecating the low level DH functions in favor of EVP_PKEY:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=163f6dc
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 10 Aug 2021 23:43:16 +0300 |
parents | 37be19a3c0ee |
children | 4195a6f0c61c |
comparison
equal
deleted
inserted
replaced
7895:8ebda26e4f98 | 7896:1e0fabbe01c7 |
---|---|
1352 | 1352 |
1353 | 1353 |
1354 ngx_int_t | 1354 ngx_int_t |
1355 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 1355 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1356 { | 1356 { |
1357 DH *dh; | |
1358 BIO *bio; | 1357 BIO *bio; |
1359 | 1358 |
1360 if (file->len == 0) { | 1359 if (file->len == 0) { |
1361 return NGX_OK; | 1360 return NGX_OK; |
1362 } | 1361 } |
1369 if (bio == NULL) { | 1368 if (bio == NULL) { |
1370 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1369 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1371 "BIO_new_file(\"%s\") failed", file->data); | 1370 "BIO_new_file(\"%s\") failed", file->data); |
1372 return NGX_ERROR; | 1371 return NGX_ERROR; |
1373 } | 1372 } |
1373 | |
1374 #ifdef SSL_CTX_set_tmp_dh | |
1375 { | |
1376 DH *dh; | |
1374 | 1377 |
1375 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | 1378 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
1376 if (dh == NULL) { | 1379 if (dh == NULL) { |
1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1380 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1378 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | 1381 "PEM_read_bio_DHparams(\"%s\") failed", file->data); |
1387 BIO_free(bio); | 1390 BIO_free(bio); |
1388 return NGX_ERROR; | 1391 return NGX_ERROR; |
1389 } | 1392 } |
1390 | 1393 |
1391 DH_free(dh); | 1394 DH_free(dh); |
1395 } | |
1396 #else | |
1397 { | |
1398 EVP_PKEY *dh; | |
1399 | |
1400 /* | |
1401 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() | |
1402 * are deprecated in OpenSSL 3.0 | |
1403 */ | |
1404 | |
1405 dh = PEM_read_bio_Parameters(bio, NULL); | |
1406 if (dh == NULL) { | |
1407 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1408 "PEM_read_bio_Parameters(\"%s\") failed", file->data); | |
1409 BIO_free(bio); | |
1410 return NGX_ERROR; | |
1411 } | |
1412 | |
1413 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { | |
1414 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1415 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); | |
1416 BIO_free(bio); | |
1417 return NGX_ERROR; | |
1418 } | |
1419 } | |
1420 #endif | |
1421 | |
1392 BIO_free(bio); | 1422 BIO_free(bio); |
1393 | 1423 |
1394 return NGX_OK; | 1424 return NGX_OK; |
1395 } | 1425 } |
1396 | 1426 |