aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMaxim Dounin <mdounin@mdounin.ru>2015-03-23 02:42:32 +0300
committerMaxim Dounin <mdounin@mdounin.ru>2015-03-23 02:42:32 +0300
commitb0d8ff55a1560f4f373319075cd452992de8c74b (patch)
treed6607001fbb609064fe3730663ff8bf57a74a452 /src
parentcc569b92528373694ae3ebc3649b35c9fb6ba540 (diff)
downloadnginx-b0d8ff55a1560f4f373319075cd452992de8c74b.tar.gz
nginx-b0d8ff55a1560f4f373319075cd452992de8c74b.zip
SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on new contexts. This makes sure to clear it to make it possible to use SSLv3 with LibreSSL if enabled in nginx config. Prodded by Kuramoto Eiji.
Diffstat (limited to 'src')
-rw-r--r--src/event/ngx_event_openssl.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f8e4fab4b..83186f582 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -249,6 +249,12 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
+#ifdef SSL_CTRL_CLEAR_OPTIONS
+ /* only in 0.9.8m+ */
+ SSL_CTX_clear_options(ssl->ctx,
+ SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+#endif
+
if (!(protocols & NGX_SSL_SSLv2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
@@ -259,11 +265,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
}
#ifdef SSL_OP_NO_TLSv1_1
+ SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
if (!(protocols & NGX_SSL_TLSv1_1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
}
#endif
#ifdef SSL_OP_NO_TLSv1_2
+ SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
if (!(protocols & NGX_SSL_TLSv1_2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 21:49:05 +0000