diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-07-16 17:47:20 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-07-16 17:47:20 +0300 |
| commit | 14561299025b1a85dc7e7d9b5d793a0fa95fd393 (patch) | |
| tree | f571025553a6af05f26a8ef773b705835031b277 /src/http/ngx_http_request.c | |
| parent | b1734fd800ec612f539f9c1699665d0685c2f9e8 (diff) | |
| download | nginx-14561299025b1a85dc7e7d9b5d793a0fa95fd393.tar.gz nginx-14561299025b1a85dc7e7d9b5d793a0fa95fd393.zip | |
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used. Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.
It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.
Diffstat (limited to 'src/http/ngx_http_request.c')
| -rw-r--r-- | src/http/ngx_http_request.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index f302e561e..979009158 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -912,7 +912,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx)); -#ifdef SSL_CTRL_CLEAR_OPTIONS +#if OPENSSL_VERSION_NUMBER >= 0x009080dfL /* only in 0.9.8m+ */ SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & ~SSL_CTX_get_options(sscf->ssl.ctx)); |