Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 7904:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 16 Aug 2021 22:40:31 +0300 |
parents | b87b7092cedb |
children | 055b2a847117 |
comparison
equal
deleted
inserted
replaced
7903:f2ddd0c491bf | 7904:419c066cb710 |
---|---|
4942 } | 4942 } |
4943 | 4943 |
4944 cln->handler = ngx_ssl_cleanup_ctx; | 4944 cln->handler = ngx_ssl_cleanup_ctx; |
4945 cln->data = plcf->upstream.ssl; | 4945 cln->data = plcf->upstream.ssl; |
4946 | 4946 |
4947 if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0) | |
4948 != NGX_OK) | |
4949 { | |
4950 return NGX_ERROR; | |
4951 } | |
4952 | |
4947 if (plcf->upstream.ssl_certificate) { | 4953 if (plcf->upstream.ssl_certificate) { |
4948 | 4954 |
4949 if (plcf->upstream.ssl_certificate_key == NULL) { | 4955 if (plcf->upstream.ssl_certificate_key == NULL) { |
4950 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 4956 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
4951 "no \"proxy_ssl_certificate_key\" is defined " | 4957 "no \"proxy_ssl_certificate_key\" is defined " |
4973 return NGX_ERROR; | 4979 return NGX_ERROR; |
4974 } | 4980 } |
4975 } | 4981 } |
4976 } | 4982 } |
4977 | 4983 |
4978 if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0) | |
4979 != NGX_OK) | |
4980 { | |
4981 return NGX_ERROR; | |
4982 } | |
4983 | |
4984 if (plcf->upstream.ssl_verify) { | 4984 if (plcf->upstream.ssl_verify) { |
4985 if (plcf->ssl_trusted_certificate.len == 0) { | 4985 if (plcf->ssl_trusted_certificate.len == 0) { |
4986 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 4986 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
4987 "no proxy_ssl_trusted_certificate for proxy_ssl_verify"); | 4987 "no proxy_ssl_trusted_certificate for proxy_ssl_verify"); |
4988 return NGX_ERROR; | 4988 return NGX_ERROR; |