[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Sergey Kandaurov pluknet at nginx.com
Wed Oct 29 18:09:57 UTC 2014


On Oct 28, 2014, at 12:38 AM, Piotr Sikora <piotr at cloudflare.com> wrote:
> Also, I think that PKCS#12 support should be added in a separate
> commit, instead of mixing it with semi-related fix.

How so? It is not about adding error handling support for yet another format,
because it was already there but was broken for the same reason after 1.0.1j.

Below is an updated patch with fixed header inclusion I’d like to commit.

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1414150080 25200
#      Fri Oct 24 04:28:00 2014 -0700
# Node ID 8316cb9139f5f5b0fb39969006d68708f22f312d
# Parent  973fded4f461f3a397779b3a1dc80881b1b34974
SSL: make ssl_password_file work with recent OpenSSL releases.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Fri Oct 24 04:28:00 2014 -0700
@@ -410,8 +410,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
             if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
                 && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
 #else
-            if (ERR_GET_LIB(n) == ERR_LIB_EVP
-                && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+            if ((ERR_GET_LIB(n) == ERR_LIB_PEM
+                 && ERR_GET_REASON(n) == PEM_R_BAD_DECRYPT)
+                || (ERR_GET_LIB(n) == ERR_LIB_EVP
+                    && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+                || (ERR_GET_LIB(n) == ERR_LIB_PKCS12
+                    && ERR_GET_REASON(n) == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
 #endif
             {
                 ERR_clear_error();
diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.h	Fri Oct 24 04:28:00 2014 -0700
@@ -25,6 +25,9 @@
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
 #endif
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/pkcs12.h>
+#endif
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>

-- 
Sergey Kandaurov



More information about the nginx-devel mailing list