Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7900:509b663a789c
SSL: removed export ciphers support.
Export ciphers are forbidden to negotiate in TLS 1.1 and later protocol modes.
They are disabled since OpenSSL 1.0.2g by default unless explicitly configured
with "enable-weak-ssl-ciphers", and completely removed in OpenSSL 1.1.0.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 10 Aug 2021 23:43:17 +0300 |
parents | 1a03af395f44 |
children | dda421871bc2 |
comparison
equal
deleted
inserted
replaced
7899:1a03af395f44 | 7900:509b663a789c |
---|---|
861 | 861 |
862 if (prefer_server_ciphers) { | 862 if (prefer_server_ciphers) { |
863 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 863 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
864 } | 864 } |
865 | 865 |
866 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) | |
867 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
868 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); | |
869 #endif | |
870 | |
871 return NGX_OK; | 866 return NGX_OK; |
872 } | 867 } |
873 | 868 |
874 | 869 |
875 ngx_int_t | 870 ngx_int_t |
1116 c->ssl->handshake_buffer_set = 1; | 1111 c->ssl->handshake_buffer_set = 1; |
1117 } | 1112 } |
1118 } | 1113 } |
1119 } | 1114 } |
1120 } | 1115 } |
1121 | |
1122 | |
1123 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) | |
1124 | |
1125 RSA * | |
1126 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, | |
1127 int key_length) | |
1128 { | |
1129 static RSA *key; | |
1130 | |
1131 if (key_length != 512) { | |
1132 return NULL; | |
1133 } | |
1134 | |
1135 #ifndef OPENSSL_NO_DEPRECATED | |
1136 | |
1137 if (key == NULL) { | |
1138 key = RSA_generate_key(512, RSA_F4, NULL, NULL); | |
1139 } | |
1140 | |
1141 #endif | |
1142 | |
1143 return key; | |
1144 } | |
1145 | |
1146 #endif | |
1147 | 1116 |
1148 | 1117 |
1149 ngx_array_t * | 1118 ngx_array_t * |
1150 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) | 1119 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
1151 { | 1120 { |