Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7962:ddfad46492b5 stable-1.20
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Using PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() is deprecated
as part of deprecating the low level DH functions in favor of EVP_PKEY:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=163f6dc
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 10 Aug 2021 23:43:16 +0300 |
| parents | ec2798eb3648 |
| children | 4195a6f0c61c |
comparison
equal
deleted
inserted
replaced
| 7961:c7c6a87c068d | 7962:ddfad46492b5 |
|---|---|
| 1352 | 1352 |
| 1353 | 1353 |
| 1354 ngx_int_t | 1354 ngx_int_t |
| 1355 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 1355 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
| 1356 { | 1356 { |
| 1357 DH *dh; | |
| 1358 BIO *bio; | 1357 BIO *bio; |
| 1359 | 1358 |
| 1360 if (file->len == 0) { | 1359 if (file->len == 0) { |
| 1361 return NGX_OK; | 1360 return NGX_OK; |
| 1362 } | 1361 } |
| 1369 if (bio == NULL) { | 1368 if (bio == NULL) { |
| 1370 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1369 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
| 1371 "BIO_new_file(\"%s\") failed", file->data); | 1370 "BIO_new_file(\"%s\") failed", file->data); |
| 1372 return NGX_ERROR; | 1371 return NGX_ERROR; |
| 1373 } | 1372 } |
| 1373 | |
| 1374 #ifdef SSL_CTX_set_tmp_dh | |
| 1375 { | |
| 1376 DH *dh; | |
| 1374 | 1377 |
| 1375 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | 1378 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
| 1376 if (dh == NULL) { | 1379 if (dh == NULL) { |
| 1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1380 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
| 1378 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | 1381 "PEM_read_bio_DHparams(\"%s\") failed", file->data); |
| 1387 BIO_free(bio); | 1390 BIO_free(bio); |
| 1388 return NGX_ERROR; | 1391 return NGX_ERROR; |
| 1389 } | 1392 } |
| 1390 | 1393 |
| 1391 DH_free(dh); | 1394 DH_free(dh); |
| 1395 } | |
| 1396 #else | |
| 1397 { | |
| 1398 EVP_PKEY *dh; | |
| 1399 | |
| 1400 /* | |
| 1401 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() | |
| 1402 * are deprecated in OpenSSL 3.0 | |
| 1403 */ | |
| 1404 | |
| 1405 dh = PEM_read_bio_Parameters(bio, NULL); | |
| 1406 if (dh == NULL) { | |
| 1407 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 1408 "PEM_read_bio_Parameters(\"%s\") failed", file->data); | |
| 1409 BIO_free(bio); | |
| 1410 return NGX_ERROR; | |
| 1411 } | |
| 1412 | |
| 1413 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { | |
| 1414 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 1415 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); | |
| 1416 BIO_free(bio); | |
| 1417 return NGX_ERROR; | |
| 1418 } | |
| 1419 } | |
| 1420 #endif | |
| 1421 | |
| 1392 BIO_free(bio); | 1422 BIO_free(bio); |
| 1393 | 1423 |
| 1394 return NGX_OK; | 1424 return NGX_OK; |
| 1395 } | 1425 } |
| 1396 | 1426 |