Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 7904:419c066cb710
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 16 Aug 2021 22:40:31 +0300 |
parents | 7ce28b4cc57e |
children | eb6c77e6d55d a550d4fa3581 |
comparison
equal
deleted
inserted
replaced
7903:f2ddd0c491bf | 7904:419c066cb710 |
---|---|
718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | 719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
720 ngx_stream_ssl_servername); | 720 ngx_stream_ssl_servername); |
721 #endif | 721 #endif |
722 | 722 |
723 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | |
724 conf->prefer_server_ciphers) | |
725 != NGX_OK) | |
726 { | |
727 return NGX_CONF_ERROR; | |
728 } | |
729 | |
723 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { | 730 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
724 return NGX_CONF_ERROR; | 731 return NGX_CONF_ERROR; |
725 } | 732 } |
726 | 733 |
727 if (conf->certificate_values) { | 734 if (conf->certificate_values) { |
748 conf->certificate_keys, conf->passwords) | 755 conf->certificate_keys, conf->passwords) |
749 != NGX_OK) | 756 != NGX_OK) |
750 { | 757 { |
751 return NGX_CONF_ERROR; | 758 return NGX_CONF_ERROR; |
752 } | 759 } |
753 } | |
754 | |
755 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | |
756 conf->prefer_server_ciphers) | |
757 != NGX_OK) | |
758 { | |
759 return NGX_CONF_ERROR; | |
760 } | 760 } |
761 | 761 |
762 if (conf->verify) { | 762 if (conf->verify) { |
763 | 763 |
764 if (conf->client_certificate.len == 0 && conf->verify != 3) { | 764 if (conf->client_certificate.len == 0 && conf->verify != 3) { |