Mercurial > hg > nginx

view auto/summary @ 7420:b3a4f6d23e82 stable-1.14

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: enabled TLSv1.3 with BoringSSL. BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION) to be able to enable TLS 1.3. This is because by default max protocol version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used as a blacklist within the version range specified using the SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() functions. With this change, we now call SSL_CTX_set_max_proto_version() with an explicit maximum version set. This enables TLS 1.3 with BoringSSL. As a side effect, this change also limits maximum protocol version to the newest protocol we know about, TLS 1.3. This seems to be a good change, as enabling unknown protocols might have unexpected results. Additionally, we now explicitly call SSL_CTX_set_min_proto_version() with 0. This is expected to help with Debian system-wide default of MinProtocol set to TLSv1.2, see http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html. Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL, so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() as long as the TLS1_3_VERSION macro is defined.
author Maxim Dounin <mdounin@mdounin.ru>
date Tue, 07 Aug 2018 02:15:28 +0300
parents 9eefb38f0005
children 0b5f12d5c531
line wrap: on
line source


# Copyright (C) Igor Sysoev
# Copyright (C) Nginx, Inc.


echo
echo "Configuration summary"


if [ $USE_THREADS = YES ]; then
    echo "  + using threads"
fi

if [ $USE_PCRE = DISABLED ]; then
    echo "  + PCRE library is disabled"

else
    case $PCRE in
        YES)   echo "  + using system PCRE library" ;;
        NONE)  echo "  + PCRE library is not used" ;;
        *)     echo "  + using PCRE library: $PCRE" ;;
    esac
fi

case $OPENSSL in
    YES)   echo "  + using system OpenSSL library" ;;
    NONE)  echo "  + OpenSSL library is not used" ;;
    *)     echo "  + using OpenSSL library: $OPENSSL" ;;
esac

case $ZLIB in
    YES)   echo "  + using system zlib library" ;;
    NONE)  echo "  + zlib library is not used" ;;
    *)     echo "  + using zlib library: $ZLIB" ;;
esac

case $NGX_LIBATOMIC in
    YES)   echo "  + using system libatomic_ops library" ;;
    NO)    ;; # not used
    *)     echo "  + using libatomic_ops library: $NGX_LIBATOMIC" ;;
esac

echo


cat << END
  nginx path prefix: "$NGX_PREFIX"
  nginx binary file: "$NGX_SBIN_PATH"
  nginx modules path: "$NGX_MODULES_PATH"
  nginx configuration prefix: "$NGX_CONF_PREFIX"
  nginx configuration file: "$NGX_CONF_PATH"
  nginx pid file: "$NGX_PID_PATH"
END

if test -n "$NGX_ERROR_LOG_PATH"; then
    echo "  nginx error log file: \"$NGX_ERROR_LOG_PATH\""
else
    echo "  nginx logs errors to stderr"
fi

cat << END
  nginx http access log file: "$NGX_HTTP_LOG_PATH"
  nginx http client request body temporary files: "$NGX_HTTP_CLIENT_TEMP_PATH"
END

if [ $HTTP_PROXY = YES ]; then
    echo "  nginx http proxy temporary files: \"$NGX_HTTP_PROXY_TEMP_PATH\""
fi

if [ $HTTP_FASTCGI = YES ]; then
    echo "  nginx http fastcgi temporary files: \"$NGX_HTTP_FASTCGI_TEMP_PATH\""
fi

if [ $HTTP_UWSGI = YES ]; then
    echo "  nginx http uwsgi temporary files: \"$NGX_HTTP_UWSGI_TEMP_PATH\""
fi

if [ $HTTP_SCGI = YES ]; then
    echo "  nginx http scgi temporary files: \"$NGX_HTTP_SCGI_TEMP_PATH\""
fi

echo "$NGX_POST_CONF_MSG"