Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 4446:fd40c9ef750d stable-1.0
Merge of r4401, r4415:
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 05 Feb 2012 19:15:09 +0000 |
| parents | 8d39230df833 |
| children | 4919fb357a5d |
comparison
equal
deleted
inserted
replaced
| 4445:50445a6d469e | 4446:fd40c9ef750d |
|---|---|
| 76 ngx_openssl_exit, /* exit master */ | 76 ngx_openssl_exit, /* exit master */ |
| 77 NGX_MODULE_V1_PADDING | 77 NGX_MODULE_V1_PADDING |
| 78 }; | 78 }; |
| 79 | 79 |
| 80 | 80 |
| 81 static long ngx_ssl_protocols[] = { | |
| 82 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
| 83 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
| 84 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, | |
| 85 SSL_OP_NO_TLSv1, | |
| 86 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, | |
| 87 SSL_OP_NO_SSLv3, | |
| 88 SSL_OP_NO_SSLv2, | |
| 89 0, | |
| 90 }; | |
| 91 | |
| 92 | |
| 93 int ngx_ssl_connection_index; | 81 int ngx_ssl_connection_index; |
| 94 int ngx_ssl_server_conf_index; | 82 int ngx_ssl_server_conf_index; |
| 95 int ngx_ssl_session_cache_index; | 83 int ngx_ssl_session_cache_index; |
| 96 | 84 |
| 97 | 85 |
| 100 { | 88 { |
| 101 OPENSSL_config(NULL); | 89 OPENSSL_config(NULL); |
| 102 | 90 |
| 103 SSL_library_init(); | 91 SSL_library_init(); |
| 104 SSL_load_error_strings(); | 92 SSL_load_error_strings(); |
| 105 | |
| 106 ENGINE_load_builtin_engines(); | |
| 107 | 93 |
| 108 OpenSSL_add_all_algorithms(); | 94 OpenSSL_add_all_algorithms(); |
| 109 | 95 |
| 110 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | 96 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
| 111 | 97 |
| 169 | 155 |
| 170 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | 156 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
| 171 | 157 |
| 172 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); | 158 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
| 173 | 159 |
| 174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 160 if (!(protocols & NGX_SSL_SSLv2)) { |
| 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 161 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
| 176 } | 162 } |
| 163 if (!(protocols & NGX_SSL_SSLv3)) { | |
| 164 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); | |
| 165 } | |
| 166 if (!(protocols & NGX_SSL_TLSv1)) { | |
| 167 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); | |
| 168 } | |
| 169 #ifdef SSL_OP_NO_TLSv1_1 | |
| 170 if (!(protocols & NGX_SSL_TLSv1_1)) { | |
| 171 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); | |
| 172 } | |
| 173 #endif | |
| 174 #ifdef SSL_OP_NO_TLSv1_2 | |
| 175 if (!(protocols & NGX_SSL_TLSv1_2)) { | |
| 176 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); | |
| 177 } | |
| 178 #endif | |
| 177 | 179 |
| 178 #ifdef SSL_OP_NO_COMPRESSION | 180 #ifdef SSL_OP_NO_COMPRESSION |
| 179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); | 181 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
| 180 #endif | 182 #endif |
| 181 | 183 |