Klaus Demo nginx / 4f578bf
SSL: ngx_ssl_ciphers() to set list of ciphers. This patch moves various OpenSSL-specific function calls into the OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more crypto-library-agnostic. Tim Taubert 6 years ago
8 changed file(s) with 44 addition(s) and 66 deletion(s). Raw diff Collapse all Expand all
587587 ngx_memcpy(buf, pwd->data, size);
588588
589589 return size;
590 }
591
592
593 ngx_int_t
594 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
595 ngx_uint_t prefer_server_ciphers)
596 {
597 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
598 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
599 "SSL_CTX_set_cipher_list(\"%V\") failed",
600 ciphers);
601 return NGX_ERROR;
602 }
603
604 if (prefer_server_ciphers) {
605 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
606 }
607
608 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
609 /* a temporary 512-bit RSA key is required for export versions of MSIE */
610 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
611 #endif
612
613 return NGX_OK;
590614 }
591615
592616
143143 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
144144 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
145145 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
146 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
147 ngx_uint_t prefer_server_ciphers);
146148 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
147149 ngx_str_t *cert, ngx_int_t depth);
148150 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
43224322 }
43234323 }
43244324
4325 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
4326 (const char *) plcf->ssl_ciphers.data)
4327 == 0)
4325 if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
4326 != NGX_OK)
43284327 {
4329 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
4330 "SSL_CTX_set_cipher_list(\"%V\") failed",
4331 &plcf->ssl_ciphers);
43324328 return NGX_ERROR;
43334329 }
43344330
688688 return NGX_CONF_ERROR;
689689 }
690690
691 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
692 (const char *) conf->ciphers.data)
693 == 0)
691 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
692 conf->prefer_server_ciphers)
693 != NGX_OK)
694694 {
695 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
696 "SSL_CTX_set_cipher_list(\"%V\") failed",
697 &conf->ciphers);
698695 return NGX_CONF_ERROR;
699696 }
700697
729726 return NGX_CONF_ERROR;
730727 }
731728
732 if (conf->prefer_server_ciphers) {
733 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
734 }
735
736 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
737 /* a temporary 512-bit RSA key is required for export versions of MSIE */
738 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
739 #endif
740
741729 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
742730 return NGX_CONF_ERROR;
743731 }
23242324 }
23252325 }
23262326
2327 if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
2328 (const char *) uwcf->ssl_ciphers.data)
2329 == 0)
2327 if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
2328 != NGX_OK)
23302329 {
2331 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2332 "SSL_CTX_set_cipher_list(\"%V\") failed",
2333 &uwcf->ssl_ciphers);
23342330 return NGX_ERROR;
23352331 }
23362332
421421 }
422422 }
423423
424 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
425 (const char *) conf->ciphers.data)
426 == 0)
424 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
425 conf->prefer_server_ciphers)
426 != NGX_OK)
427427 {
428 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
429 "SSL_CTX_set_cipher_list(\"%V\") failed",
430 &conf->ciphers);
431 return NGX_CONF_ERROR;
432 }
433
434 if (conf->prefer_server_ciphers) {
435 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
436 }
437
438 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
439 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
440 #endif
428 return NGX_CONF_ERROR;
429 }
441430
442431 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
443432 return NGX_CONF_ERROR;
16391639 }
16401640 }
16411641
1642 if (SSL_CTX_set_cipher_list(pscf->ssl->ctx,
1643 (const char *) pscf->ssl_ciphers.data)
1644 == 0)
1645 {
1646 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
1647 "SSL_CTX_set_cipher_list(\"%V\") failed",
1648 &pscf->ssl_ciphers);
1642 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
16491643 return NGX_ERROR;
16501644 }
16511645
265265 return NGX_CONF_ERROR;
266266 }
267267
268 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
269 (const char *) conf->ciphers.data)
270 == 0)
268 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
269 conf->prefer_server_ciphers)
270 != NGX_OK)
271271 {
272 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
273 "SSL_CTX_set_cipher_list(\"%V\") failed",
274 &conf->ciphers);
275 return NGX_CONF_ERROR;
276 }
277
278 if (conf->prefer_server_ciphers) {
279 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
280 }
281
282 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
283 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
284 #endif
272 return NGX_CONF_ERROR;
273 }
285274
286275 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
287276 return NGX_CONF_ERROR;