[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases
Piotr Sikora
piotr at cloudflare.com
Wed Oct 29 19:27:40 UTC 2014
Hey Sergey,
> Alternatively, remove error collection that doesn’t really make much sense.
> It’s an open set and we cannot predict for sure all of them enumerated.
That's also a valid approach, but the commit is wrong.
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1414150080 25200
> # Fri Oct 24 04:28:00 2014 -0700
> # Node ID 47728601e542cab9406ea323576f6df5adfff193
> # Parent 973fded4f461f3a397779b3a1dc80881b1b34974
> SSL: simplified ssl_password_file error handling.
>
> Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
> error codes that becomes more and more difficult with the rising variety of
> OpenSSL versions and its derivatives, just continue with the next passphrase.
>
> This fixes multiple passwords in a single ssl_password_file that was broken
> after recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).
Not even "Reported by"? :P
> diff -r 973fded4f461 -r 47728601e542 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Oct 15 22:57:23 2014 +0400
> +++ b/src/event/ngx_event_openssl.c Fri Oct 24 04:28:00 2014 -0700
> @@ -404,20 +404,9 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
> }
>
> if (--tries) {
> - n = ERR_peek_error();
n is being used to print the final error, after the use of the last
password fails, so you cannot completely remove it. You should
probably just move it after the if loop.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list