diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2023-06-21 01:29:55 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2023-06-21 01:29:55 +0300 |
| commit | 2038b46e25b74c16b36ce27f4c8064f2ab2af5a9 (patch) | |
| tree | 9a5c74244399c69a119c52ac1c434c848c4ce134 /src | |
| parent | 1c6183725247024f1bca73ac9a833098af7558af (diff) | |
| download | nginx-2038b46e25b74c16b36ce27f4c8064f2ab2af5a9.tar.gz nginx-2038b46e25b74c16b36ce27f4c8064f2ab2af5a9.zip | |
SSL: provided "nginx" appname when loading OpenSSL configs.
Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION). Therefore this
change is not expected to introduce any compatibility issues with existing
configurations. It does, however, make it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).
Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL. This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index c38aa27f1..32cdabf0b 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -140,13 +140,31 @@ int ngx_ssl_stapling_index; ngx_int_t ngx_ssl_init(ngx_log_t *log) { -#if OPENSSL_VERSION_NUMBER >= 0x10100003L +#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) + + OPENSSL_INIT_SETTINGS *init; + + init = OPENSSL_INIT_new(); + if (init == NULL) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); + return NGX_ERROR; + } - if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) { +#ifndef OPENSSL_NO_STDIO + if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, + "OPENSSL_INIT_set_config_appname() failed"); + return NGX_ERROR; + } +#endif + + if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) { ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); return NGX_ERROR; } + OPENSSL_INIT_free(init); + /* * OPENSSL_init_ssl() may leave errors in the error queue * while returning success @@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log) #else - OPENSSL_config(NULL); + OPENSSL_config("nginx"); SSL_library_init(); SSL_load_error_strings(); |