nginx: src/http/modules/ngx_http_uwsgi

comparison src/http/modules/ngx_http_uwsgi_module.c @ 7904:419c066cb710

SSL: ciphers now set before loading certificates (ticket #2035). To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 16 Aug 2021 22:40:31 +0300
parents	b87b7092cedb
children	2f443cac3f1e

comparison

equal deleted inserted replaced

-:f2ddd0c491bf
+:419c066cb710
 }
 cln->handler = ngx_ssl_cleanup_ctx;
 cln->data = uwcf->upstream.ssl;
+if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+!= NGX_OK)
+{
+return NGX_ERROR;
+}
 if (uwcf->upstream.ssl_certificate) {
 if (uwcf->upstream.ssl_certificate_key == NULL) {
 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 "no \"uwsgi_ssl_certificate_key\" is defined "
 return NGX_ERROR;
 }
 }
 }
-if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
-!= NGX_OK)
-{
-return NGX_ERROR;
-}
 if (uwcf->upstream.ssl_verify) {
 if (uwcf->ssl_trusted_certificate.len == 0) {
 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 "no uwsgi_ssl_trusted_certificate for uwsgi_ssl_verify");
 return NGX_ERROR;

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_uwsgi_module.c @ 7904:419c066cb710