Merge of r4401, r4415:
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
Maxim Dounin
10 years ago
| 77 | 77 | }; |
| 78 | 78 | |
| 79 | 79 | |
| 80 | static long ngx_ssl_protocols[] = { | |
| 81 | SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
| 82 | SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
| 83 | SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, | |
| 84 | SSL_OP_NO_TLSv1, | |
| 85 | SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, | |
| 86 | SSL_OP_NO_SSLv3, | |
| 87 | SSL_OP_NO_SSLv2, | |
| 88 | 0, | |
| 89 | }; | |
| 90 | ||
| 91 | ||
| 92 | 80 | int ngx_ssl_connection_index; |
| 93 | 81 | int ngx_ssl_server_conf_index; |
| 94 | 82 | int ngx_ssl_session_cache_index; |
| 101 | 89 | |
| 102 | 90 | SSL_library_init(); |
| 103 | 91 | SSL_load_error_strings(); |
| 104 | ||
| 105 | ENGINE_load_builtin_engines(); | |
| 106 | 92 | |
| 107 | 93 | OpenSSL_add_all_algorithms(); |
| 108 | 94 | |
| 170 | 156 | |
| 171 | 157 | SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
| 172 | 158 | |
| 173 | if (ngx_ssl_protocols[protocols >> 1] != 0) { | |
| 174 | SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | |
| 175 | } | |
| 159 | if (!(protocols & NGX_SSL_SSLv2)) { | |
| 160 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); | |
| 161 | } | |
| 162 | if (!(protocols & NGX_SSL_SSLv3)) { | |
| 163 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); | |
| 164 | } | |
| 165 | if (!(protocols & NGX_SSL_TLSv1)) { | |
| 166 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); | |
| 167 | } | |
| 168 | #ifdef SSL_OP_NO_TLSv1_1 | |
| 169 | if (!(protocols & NGX_SSL_TLSv1_1)) { | |
| 170 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); | |
| 171 | } | |
| 172 | #endif | |
| 173 | #ifdef SSL_OP_NO_TLSv1_2 | |
| 174 | if (!(protocols & NGX_SSL_TLSv1_2)) { | |
| 175 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); | |
| 176 | } | |
| 177 | #endif | |
| 176 | 178 | |
| 177 | 179 | #ifdef SSL_OP_NO_COMPRESSION |
| 178 | 180 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
| 80 | 80 | |
| 81 | 81 | |
| 82 | 82 | |
| 83 | #define NGX_SSL_SSLv2 2 | |
| 84 | #define NGX_SSL_SSLv3 4 | |
| 85 | #define NGX_SSL_TLSv1 8 | |
| 83 | #define NGX_SSL_SSLv2 0x0002 | |
| 84 | #define NGX_SSL_SSLv3 0x0004 | |
| 85 | #define NGX_SSL_TLSv1 0x0008 | |
| 86 | #define NGX_SSL_TLSv1_1 0x0010 | |
| 87 | #define NGX_SSL_TLSv1_2 0x0020 | |
| 86 | 88 | |
| 87 | 89 | |
| 88 | 90 | #define NGX_SSL_BUFFER 1 |
| 2765 | 2765 | plcf->upstream.ssl->log = cf->log; |
| 2766 | 2766 | |
| 2767 | 2767 | if (ngx_ssl_create(plcf->upstream.ssl, |
| 2768 | NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL) | |
| 2768 | NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1 | |
| 2769 | |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2, | |
| 2770 | NULL) | |
| 2769 | 2771 | != NGX_OK) |
| 2770 | 2772 | { |
| 2771 | 2773 | return NGX_ERROR; |
| 36 | 36 | { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 37 | 37 | { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
| 38 | 38 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 39 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
| 40 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
| 39 | 41 | { ngx_null_string, 0 } |
| 40 | 42 | }; |
| 41 | 43 | |
| 363 | 365 | prev->prefer_server_ciphers, 0); |
| 364 | 366 | |
| 365 | 367 | ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
| 366 | (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
| 368 | (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 | |
| 369 | |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | |
| 367 | 370 | |
| 368 | 371 | ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
| 369 | 372 | ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
| 36 | 36 | { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 37 | 37 | { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
| 38 | 38 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 39 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, | |
| 40 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | |
| 39 | 41 | { ngx_null_string, 0 } |
| 40 | 42 | }; |
| 41 | 43 | |
| 205 | 207 | prev->prefer_server_ciphers, 0); |
| 206 | 208 | |
| 207 | 209 | ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
| 208 | (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); | |
| 210 | (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 | |
| 211 | |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | |
| 209 | 212 | |
| 210 | 213 | ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
| 211 | 214 | ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); |