Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7904:419c066cb710

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: ciphers now set before loading certificates (ticket #2035). To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 16 Aug 2021 22:40:31 +0300
parents 7ce28b4cc57e
children 61abb35bb8cf fac88e160653
comparison
equal deleted inserted replaced
7903:f2ddd0c491bf 7904:419c066cb710
795 #ifdef TLSEXT_TYPE_next_proto_neg 795 #ifdef TLSEXT_TYPE_next_proto_neg
796 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, 796 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
797 ngx_http_ssl_npn_advertised, NULL); 797 ngx_http_ssl_npn_advertised, NULL);
798 #endif 798 #endif
799 799
800 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
801 conf->prefer_server_ciphers)
802 != NGX_OK)
803 {
804 return NGX_CONF_ERROR;
805 }
806
800 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { 807 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
801 return NGX_CONF_ERROR; 808 return NGX_CONF_ERROR;
802 } 809 }
803 810
804 if (conf->certificate_values) { 811 if (conf->certificate_values) {
825 conf->certificate_keys, conf->passwords) 832 conf->certificate_keys, conf->passwords)
826 != NGX_OK) 833 != NGX_OK)
827 { 834 {
828 return NGX_CONF_ERROR; 835 return NGX_CONF_ERROR;
829 } 836 }
830 }
831
832 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
833 conf->prefer_server_ciphers)
834 != NGX_OK)
835 {
836 return NGX_CONF_ERROR;
837 } 837 }
838 838
839 conf->ssl.buffer_size = conf->buffer_size; 839 conf->ssl.buffer_size = conf->buffer_size;
840 840
841 if (conf->verify) { 841 if (conf->verify) {