[PATCH] Add ngx_ssl_ciphers() to set list of cipher suites in openssl module

Maxim Dounin mdounin at mdounin.ru
Wed Jun 15 16:57:07 UTC 2016


Hello!

On Wed, Jun 15, 2016 at 10:44:13AM +0100, Tim Taubert wrote:

> # HG changeset patch
> # User Tim Taubert <tim at timtaubert.de>
> # Date 1465983726 -3600
> #      Wed Jun 15 10:42:06 2016 +0100
> # Node ID f42955a35ac0363553fd887ec88a93d51bac8c9e
> # Parent  1064ea81ed3aabb8ad422ffcc60ddcde667022ac
> SSL: ngx_ssl_ciphers() to set list of ciphers.
> 
> This patch replaces all calls to SSL_CTX_set_cipher_list() with
> ngx_ssl_ciphers() to make nginx more crypto-library-agnostic.

[...]

>  ngx_int_t
> +ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers)
> +{
> +    if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
> +        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> +                      "SSL_CTX_set_cipher_list(\"%V\") failed",
> +                      ciphers);
> +        return NGX_ERROR;
> +    }
> +
> +    if (cf->prefer_server_ciphers) {
> +        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> +    }

This is not going to work, as ngx_conf_t does not have the 
prefer_server_ciphers in it:

src/event/ngx_event_openssl.c:604:13: error: no member named
      'prefer_server_ciphers' in 'struct ngx_conf_s'
    if (cf->prefer_server_ciphers) {
        ~~  ^
1 error generated.

You have pass the prefer_server_ciphers value as a function 
argument, much like "ciphers".

[...]

> @@ -725,20 +719,16 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
>      {
>          return NGX_CONF_ERROR;
>      }
>  
>      if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
>          return NGX_CONF_ERROR;
>      }
>  
> -    if (conf->prefer_server_ciphers) {
> -        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> -    }
> -
>  #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
>      /* a temporary 512-bit RSA key is required for export versions of MSIE */
>      SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
>  #endif

And here is another candidate for the move to the function.

[...]

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list