Klaus Demo nginx / 8bfb37e
Merge of r4401, r4415: SSL changes: *) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1 (-beta1 was recently released). This change makes it possible to disable these protocols and/or enable them without other protocols. *) Removed ENGINE_load_builtin_engines() call. It's already called by OPENSSL_config(). Calling it again causes some openssl engines (notably GOST) to corrupt memory, as they don't expect to be created more than once. Maxim Dounin 10 years ago
5 changed file(s) with 35 addition(s) and 23 deletion(s). Raw diff Collapse all Expand all
7777 };
7878
7979
80 static long ngx_ssl_protocols[] = {
81 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
82 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
83 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
84 SSL_OP_NO_TLSv1,
85 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
86 SSL_OP_NO_SSLv3,
87 SSL_OP_NO_SSLv2,
88 0,
89 };
90
91
9280 int ngx_ssl_connection_index;
9381 int ngx_ssl_server_conf_index;
9482 int ngx_ssl_session_cache_index;
10189
10290 SSL_library_init();
10391 SSL_load_error_strings();
104
105 ENGINE_load_builtin_engines();
10692
10793 OpenSSL_add_all_algorithms();
10894
170156
171157 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
172158
173 if (ngx_ssl_protocols[protocols >> 1] != 0) {
174 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
175 }
159 if (!(protocols & NGX_SSL_SSLv2)) {
160 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
161 }
162 if (!(protocols & NGX_SSL_SSLv3)) {
163 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
164 }
165 if (!(protocols & NGX_SSL_TLSv1)) {
166 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
167 }
168 #ifdef SSL_OP_NO_TLSv1_1
169 if (!(protocols & NGX_SSL_TLSv1_1)) {
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
171 }
172 #endif
173 #ifdef SSL_OP_NO_TLSv1_2
174 if (!(protocols & NGX_SSL_TLSv1_2)) {
175 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
176 }
177 #endif
176178
177179 #ifdef SSL_OP_NO_COMPRESSION
178180 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
8080
8181
8282
83 #define NGX_SSL_SSLv2 2
84 #define NGX_SSL_SSLv3 4
85 #define NGX_SSL_TLSv1 8
83 #define NGX_SSL_SSLv2 0x0002
84 #define NGX_SSL_SSLv3 0x0004
85 #define NGX_SSL_TLSv1 0x0008
86 #define NGX_SSL_TLSv1_1 0x0010
87 #define NGX_SSL_TLSv1_2 0x0020
8688
8789
8890 #define NGX_SSL_BUFFER 1
27652765 plcf->upstream.ssl->log = cf->log;
27662766
27672767 if (ngx_ssl_create(plcf->upstream.ssl,
2768 NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
2768 NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
2769 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
2770 NULL)
27692771 != NGX_OK)
27702772 {
27712773 return NGX_ERROR;
3636 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
3737 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
3838 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
39 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
40 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
3941 { ngx_null_string, 0 }
4042 };
4143
363365 prev->prefer_server_ciphers, 0);
364366
365367 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
366 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
368 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
369 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
367370
368371 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
369372 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
3636 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
3737 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
3838 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
39 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
40 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
3941 { ngx_null_string, 0 }
4042 };
4143
205207 prev->prefer_server_ciphers, 0);
206208
207209 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
208 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
210 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
211 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
209212
210213 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
211214 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");