Klaus Demo nginx / 4efcbce
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1 (-beta1 was recently released). This change makes it possible to disable these protocols and/or enable them without other protocols. Maxim Dounin 10 years ago
5 changed file(s) with 35 addition(s) and 21 deletion(s). Raw diff Collapse all Expand all
7777 };
7878
7979
80 static long ngx_ssl_protocols[] = {
81 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
82 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
83 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
84 SSL_OP_NO_TLSv1,
85 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
86 SSL_OP_NO_SSLv3,
87 SSL_OP_NO_SSLv2,
88 0,
89 };
90
91
9280 int ngx_ssl_connection_index;
9381 int ngx_ssl_server_conf_index;
9482 int ngx_ssl_session_cache_index;
170158
171159 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
172160
173 if (ngx_ssl_protocols[protocols >> 1] != 0) {
174 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
175 }
161 if (!(protocols & NGX_SSL_SSLv2)) {
162 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
163 }
164 if (!(protocols & NGX_SSL_SSLv3)) {
165 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
166 }
167 if (!(protocols & NGX_SSL_TLSv1)) {
168 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
169 }
170 #ifdef SSL_OP_NO_TLSv1_1
171 if (!(protocols & NGX_SSL_TLSv1_1)) {
172 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
173 }
174 #endif
175 #ifdef SSL_OP_NO_TLSv1_2
176 if (!(protocols & NGX_SSL_TLSv1_2)) {
177 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
178 }
179 #endif
176180
177181 #ifdef SSL_OP_NO_COMPRESSION
178182 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
8080
8181
8282
83 #define NGX_SSL_SSLv2 2
84 #define NGX_SSL_SSLv3 4
85 #define NGX_SSL_TLSv1 8
83 #define NGX_SSL_SSLv2 0x0002
84 #define NGX_SSL_SSLv3 0x0004
85 #define NGX_SSL_TLSv1 0x0008
86 #define NGX_SSL_TLSv1_1 0x0010
87 #define NGX_SSL_TLSv1_2 0x0020
8688
8789
8890 #define NGX_SSL_BUFFER 1
35973597 plcf->upstream.ssl->log = cf->log;
35983598
35993599 if (ngx_ssl_create(plcf->upstream.ssl,
3600 NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
3600 NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
3601 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
3602 NULL)
36013603 != NGX_OK)
36023604 {
36033605 return NGX_ERROR;
3636 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
3737 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
3838 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
39 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
40 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
3941 { ngx_null_string, 0 }
4042 };
4143
363365 prev->prefer_server_ciphers, 0);
364366
365367 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
366 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
368 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
369 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
367370
368371 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
369372 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
3636 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
3737 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
3838 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
39 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
40 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
3941 { ngx_null_string, 0 }
4042 };
4143
205207 prev->prefer_server_ciphers, 0);
206208
207209 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
208 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
210 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
211 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
209212
210213 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
211214 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");