Mercurial > hg > nginx

diff src/event/ngx_event_openssl.c @ 4446:fd40c9ef750d stable-1.0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge of r4401, r4415: SSL changes: *) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1 (-beta1 was recently released). This change makes it possible to disable these protocols and/or enable them without other protocols. *) Removed ENGINE_load_builtin_engines() call. It's already called by OPENSSL_config(). Calling it again causes some openssl engines (notably GOST) to corrupt memory, as they don't expect to be created more than once.
author Maxim Dounin <mdounin@mdounin.ru>
date Sun, 05 Feb 2012 19:15:09 +0000
parents 8d39230df833
children 4919fb357a5d
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -78,18 +78,6 @@ ngx_module_t  ngx_openssl_module = {
 };
 
 
-static long  ngx_ssl_protocols[] = {
-    SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
-    SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
-    SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
-    SSL_OP_NO_TLSv1,
-    SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
-    SSL_OP_NO_SSLv3,
-    SSL_OP_NO_SSLv2,
-    0,
-};
-
-
 int  ngx_ssl_connection_index;
 int  ngx_ssl_server_conf_index;
 int  ngx_ssl_session_cache_index;
@@ -103,8 +91,6 @@ ngx_ssl_init(ngx_log_t *log)
     SSL_library_init();
     SSL_load_error_strings();
 
-    ENGINE_load_builtin_engines();
-
     OpenSSL_add_all_algorithms();
 
     ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
@@ -171,9 +157,25 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
 
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
 
-    if (ngx_ssl_protocols[protocols >> 1] != 0) {
-        SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
+    if (!(protocols & NGX_SSL_SSLv2)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
+    }
+    if (!(protocols & NGX_SSL_SSLv3)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
+    }
+    if (!(protocols & NGX_SSL_TLSv1)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
     }
+#ifdef SSL_OP_NO_TLSv1_1
+    if (!(protocols & NGX_SSL_TLSv1_1)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+    }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+    if (!(protocols & NGX_SSL_TLSv1_2)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+    }
+#endif
 
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);