[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Sergey Kandaurov pluknet at nginx.com
Wed Oct 29 19:11:27 UTC 2014


On Oct 29, 2014, at 9:09 PM, Sergey Kandaurov <pluknet at nginx.com> wrote:

> On Oct 28, 2014, at 12:38 AM, Piotr Sikora <piotr at cloudflare.com> wrote:
>> Also, I think that PKCS#12 support should be added in a separate
>> commit, instead of mixing it with semi-related fix.
> 
> How so? It is not about adding error handling support for yet another format,
> because it was already there but was broken for the same reason after 1.0.1j.
> 
> Below is an updated patch with fixed header inclusion I’d like to commit.

Alternatively, remove error collection that doesn’t really make much sense.
It’s an open set and we cannot predict for sure all of them enumerated.

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1414150080 25200
#      Fri Oct 24 04:28:00 2014 -0700
# Node ID 47728601e542cab9406ea323576f6df5adfff193
# Parent  973fded4f461f3a397779b3a1dc80881b1b34974
SSL: simplified ssl_password_file error handling.

Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next passphrase.

This fixes multiple passwords in a single ssl_password_file that was broken
after recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

diff -r 973fded4f461 -r 47728601e542 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Fri Oct 24 04:28:00 2014 -0700
@@ -404,20 +404,9 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
         }
 
         if (--tries) {
-            n = ERR_peek_error();
-
-#ifdef OPENSSL_IS_BORINGSSL
-            if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
-                && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
-#else
-            if (ERR_GET_LIB(n) == ERR_LIB_EVP
-                && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
-#endif
-            {
-                ERR_clear_error();
-                SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
-                continue;
-            }
+            ERR_clear_error();
+            SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
+            continue;
         }
 
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,


-- 
Sergey Kandaurov



More information about the nginx-devel mailing list