# HG changeset patch # User Maxim Dounin # Date 1531752440 -10800 # Node ID 3443fe40bdc7947b7819c0bd6871f0c390a6094f # Parent 6565f0dbe8c5b59c6884cba9f0ba72a28b2a80f6 SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+. In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so conditional compilation test on it results in SSL_clear_options() and SSL_CTX_clear_options() not being used. Notably, this caused "ssl_prefer_server_ciphers off" to not work in SNI-based virtual servers if server preference was switched on in the default server. It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER explicitly. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -295,7 +295,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); -#ifdef SSL_CTRL_CLEAR_OPTIONS +#if OPENSSL_VERSION_NUMBER >= 0x009080dfL /* only in 0.9.8m+ */ SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -912,7 +912,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx)); -#ifdef SSL_CTRL_CLEAR_OPTIONS +#if OPENSSL_VERSION_NUMBER >= 0x009080dfL /* only in 0.9.8m+ */ SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & ~SSL_CTX_get_options(sscf->ssl.ctx));