Mercurial > hg > nginx
comparison src/http/modules/ngx_http_uwsgi_module.c @ 7904:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 16 Aug 2021 22:40:31 +0300 |
parents | b87b7092cedb |
children | 2f443cac3f1e |
comparison
equal
deleted
inserted
replaced
7903:f2ddd0c491bf | 7904:419c066cb710 |
---|---|
2430 } | 2430 } |
2431 | 2431 |
2432 cln->handler = ngx_ssl_cleanup_ctx; | 2432 cln->handler = ngx_ssl_cleanup_ctx; |
2433 cln->data = uwcf->upstream.ssl; | 2433 cln->data = uwcf->upstream.ssl; |
2434 | 2434 |
2435 if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0) | |
2436 != NGX_OK) | |
2437 { | |
2438 return NGX_ERROR; | |
2439 } | |
2440 | |
2435 if (uwcf->upstream.ssl_certificate) { | 2441 if (uwcf->upstream.ssl_certificate) { |
2436 | 2442 |
2437 if (uwcf->upstream.ssl_certificate_key == NULL) { | 2443 if (uwcf->upstream.ssl_certificate_key == NULL) { |
2438 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 2444 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
2439 "no \"uwsgi_ssl_certificate_key\" is defined " | 2445 "no \"uwsgi_ssl_certificate_key\" is defined " |
2461 return NGX_ERROR; | 2467 return NGX_ERROR; |
2462 } | 2468 } |
2463 } | 2469 } |
2464 } | 2470 } |
2465 | 2471 |
2466 if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0) | |
2467 != NGX_OK) | |
2468 { | |
2469 return NGX_ERROR; | |
2470 } | |
2471 | |
2472 if (uwcf->upstream.ssl_verify) { | 2472 if (uwcf->upstream.ssl_verify) { |
2473 if (uwcf->ssl_trusted_certificate.len == 0) { | 2473 if (uwcf->ssl_trusted_certificate.len == 0) { |
2474 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 2474 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
2475 "no uwsgi_ssl_trusted_certificate for uwsgi_ssl_verify"); | 2475 "no uwsgi_ssl_trusted_certificate for uwsgi_ssl_verify"); |
2476 return NGX_ERROR; | 2476 return NGX_ERROR; |