Commit 4f578bfcab740fcfbbb8824822803ad9b3f176cc - nginx

SSL: ngx_ssl_ciphers() to set list of ciphers. This patch moves various OpenSSL-specific function calls into the OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more crypto-library-agnostic. Tim Taubert 6 years ago

8 changed file(s) with 44 addition(s) and 66 deletion(s). Raw diff Collapse all Expand all

+24

-0

src/event/ngx_event_openssl.c less more

587	587	ngx_memcpy(buf, pwd->data, size);
588	588
589	589	return size;
	590	}
	591
	592
	593	ngx_int_t
	594	ngx_ssl_ciphers(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *ciphers,
	595	ngx_uint_t prefer_server_ciphers)
	596	{
	597	if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
	598	ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
	599	"SSL_CTX_set_cipher_list(\"%V\") failed",
	600	ciphers);
	601	return NGX_ERROR;
	602	}
	603
	604	if (prefer_server_ciphers) {
	605	SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
	606	}
	607
	608	#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
	609	/* a temporary 512-bit RSA key is required for export versions of MSIE */
	610	SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
	611	#endif
	612
	613	return NGX_OK;
590	614	}
591	615
592	616

-0

src/event/ngx_event_openssl.h less more

143	143	ngx_array_t certs, ngx_array_t keys, ngx_array_t *passwords);
144	144	ngx_int_t ngx_ssl_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
145	145	ngx_str_t cert, ngx_str_t key, ngx_array_t *passwords);
	146	ngx_int_t ngx_ssl_ciphers(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *ciphers,
	147	ngx_uint_t prefer_server_ciphers);
146	148	ngx_int_t ngx_ssl_client_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
147	149	ngx_str_t *cert, ngx_int_t depth);
148	150	ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t cf, ngx_ssl_t ssl,

-6

src/http/modules/ngx_http_proxy_module.c less more

4322	4322	}
4323	4323	}
4324	4324
4325		if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
4326		(const char *) plcf->ssl_ciphers.data)
4327		== 0)
	4325	if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
	4326	!= NGX_OK)
4328	4327	{
4329		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
4330		"SSL_CTX_set_cipher_list(\"%V\") failed",
4331		&plcf->ssl_ciphers);
4332	4328	return NGX_ERROR;
4333	4329	}
4334	4330

-15

src/http/modules/ngx_http_ssl_module.c less more

688	688	return NGX_CONF_ERROR;
689	689	}
690	690
691		if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
692		(const char *) conf->ciphers.data)
693		== 0)
	691	if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
	692	conf->prefer_server_ciphers)
	693	!= NGX_OK)
694	694	{
695		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
696		"SSL_CTX_set_cipher_list(\"%V\") failed",
697		&conf->ciphers);
698	695	return NGX_CONF_ERROR;
699	696	}
700	697

729	726	return NGX_CONF_ERROR;
730	727	}
731	728
732		if (conf->prefer_server_ciphers) {
733		SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
734		}
735
736		#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
737		/* a temporary 512-bit RSA key is required for export versions of MSIE */
738		SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
739		#endif
740
741	729	if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
742	730	return NGX_CONF_ERROR;
743	731	}

-6

src/http/modules/ngx_http_uwsgi_module.c less more

2324	2324	}
2325	2325	}
2326	2326
2327		if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
2328		(const char *) uwcf->ssl_ciphers.data)
2329		== 0)
	2327	if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
	2328	!= NGX_OK)
2330	2329	{
2331		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2332		"SSL_CTX_set_cipher_list(\"%V\") failed",
2333		&uwcf->ssl_ciphers);
2334	2330	return NGX_ERROR;
2335	2331	}
2336	2332

-16

src/mail/ngx_mail_ssl_module.c less more

421	421	}
422	422	}
423	423
424		if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
425		(const char *) conf->ciphers.data)
426		== 0)
	424	if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
	425	conf->prefer_server_ciphers)
	426	!= NGX_OK)
427	427	{
428		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
429		"SSL_CTX_set_cipher_list(\"%V\") failed",
430		&conf->ciphers);
431		return NGX_CONF_ERROR;
432		}
433
434		if (conf->prefer_server_ciphers) {
435		SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
436		}
437
438		#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
439		SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
440		#endif
	428	return NGX_CONF_ERROR;
	429	}
441	430
442	431	if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
443	432	return NGX_CONF_ERROR;

-7

src/stream/ngx_stream_proxy_module.c less more

1639	1639	}
1640	1640	}
1641	1641
1642		if (SSL_CTX_set_cipher_list(pscf->ssl->ctx,
1643		(const char *) pscf->ssl_ciphers.data)
1644		== 0)
1645		{
1646		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
1647		"SSL_CTX_set_cipher_list(\"%V\") failed",
1648		&pscf->ssl_ciphers);
	1642	if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
1649	1643	return NGX_ERROR;
1650	1644	}
1651	1645

-16

src/stream/ngx_stream_ssl_module.c less more

265	265	return NGX_CONF_ERROR;
266	266	}
267	267
268		if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
269		(const char *) conf->ciphers.data)
270		== 0)
	268	if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
	269	conf->prefer_server_ciphers)
	270	!= NGX_OK)
271	271	{
272		ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
273		"SSL_CTX_set_cipher_list(\"%V\") failed",
274		&conf->ciphers);
275		return NGX_CONF_ERROR;
276		}
277
278		if (conf->prefer_server_ciphers) {
279		SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
280		}
281
282		#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
283		SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
284		#endif
	272	return NGX_CONF_ERROR;
	273	}
285	274
286	275	if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
287	276	return NGX_CONF_ERROR;