Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 6034:3e847964ab55
SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on
new contexts. This makes sure to clear it to make it possible to use SSLv3
with LibreSSL if enabled in nginx config.
Prodded by Kuramoto Eiji.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 23 Mar 2015 02:42:32 +0300 |
| parents | c2f309fb7ad2 |
| children | 4e3f87c02cb4 |
comparison
equal
deleted
inserted
replaced
| 6033:8e66a83d16ae | 6034:3e847964ab55 |
|---|---|
| 247 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | 247 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
| 248 #endif | 248 #endif |
| 249 | 249 |
| 250 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); | 250 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
| 251 | 251 |
| 252 #ifdef SSL_CTRL_CLEAR_OPTIONS | |
| 253 /* only in 0.9.8m+ */ | |
| 254 SSL_CTX_clear_options(ssl->ctx, | |
| 255 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); | |
| 256 #endif | |
| 257 | |
| 252 if (!(protocols & NGX_SSL_SSLv2)) { | 258 if (!(protocols & NGX_SSL_SSLv2)) { |
| 253 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); | 259 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
| 254 } | 260 } |
| 255 if (!(protocols & NGX_SSL_SSLv3)) { | 261 if (!(protocols & NGX_SSL_SSLv3)) { |
| 256 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); | 262 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
| 257 } | 263 } |
| 258 if (!(protocols & NGX_SSL_TLSv1)) { | 264 if (!(protocols & NGX_SSL_TLSv1)) { |
| 259 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); | 265 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
| 260 } | 266 } |
| 261 #ifdef SSL_OP_NO_TLSv1_1 | 267 #ifdef SSL_OP_NO_TLSv1_1 |
| 268 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); | |
| 262 if (!(protocols & NGX_SSL_TLSv1_1)) { | 269 if (!(protocols & NGX_SSL_TLSv1_1)) { |
| 263 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); | 270 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
| 264 } | 271 } |
| 265 #endif | 272 #endif |
| 266 #ifdef SSL_OP_NO_TLSv1_2 | 273 #ifdef SSL_OP_NO_TLSv1_2 |
| 274 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); | |
| 267 if (!(protocols & NGX_SSL_TLSv1_2)) { | 275 if (!(protocols & NGX_SSL_TLSv1_2)) { |
| 268 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); | 276 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
| 269 } | 277 } |
| 270 #endif | 278 #endif |
| 271 | 279 |