[nginx] svn commit: r4447 - in branches/stable-1.0: . src/event src/http/modules src/mail
mdounin at mdounin.ru
mdounin at mdounin.ru
Sun Feb 5 19:15:10 UTC 2012
Author: mdounin
Date: 2012-02-05 19:15:09 +0000 (Sun, 05 Feb 2012)
New Revision: 4447
Log:
Merge of r4401, r4415:
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
Modified:
branches/stable-1.0/
branches/stable-1.0/src/event/ngx_event_openssl.c
branches/stable-1.0/src/event/ngx_event_openssl.h
branches/stable-1.0/src/http/modules/ngx_http_proxy_module.c
branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c
branches/stable-1.0/src/mail/ngx_mail_ssl_module.c
Property changes on: branches/stable-1.0
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk:3960-3974,3977-3987,3991-3996,3998,4000-4018,4020,4023,4025-4027,4034-4065,4073,4077,4086-4090,4094-4102,4106-4108,4113-4114,4129-4137,4143-4144,4147-4158,4177,4179,4182-4184,4186-4187,4189-4205,4207,4209-4210,4212,4217-4223,4227-4232,4235-4237,4265-4268,4270,4274-4276,4278-4280,4282-4284,4294-4295,4298,4300-4309,4313,4315,4320-4321,4326-4327,4335-4336,4338-4343,4372-4375,4377,4379,4381-4385,4393,4396,4398,4400,4403
+ /trunk:3960-3974,3977-3987,3991-3996,3998,4000-4018,4020,4023,4025-4027,4034-4065,4073,4077,4086-4090,4094-4102,4106-4108,4113-4114,4129-4137,4143-4144,4147-4158,4177,4179,4182-4184,4186-4187,4189-4205,4207,4209-4210,4212,4217-4223,4227-4232,4235-4237,4265-4268,4270,4274-4276,4278-4280,4282-4284,4294-4295,4298,4300-4309,4313,4315,4320-4321,4326-4327,4335-4336,4338-4343,4372-4375,4377,4379,4381-4385,4393,4396,4398,4400-4401,4403,4415
Modified: branches/stable-1.0/src/event/ngx_event_openssl.c
===================================================================
--- branches/stable-1.0/src/event/ngx_event_openssl.c 2012-02-05 19:06:52 UTC (rev 4446)
+++ branches/stable-1.0/src/event/ngx_event_openssl.c 2012-02-05 19:15:09 UTC (rev 4447)
@@ -78,18 +78,6 @@
};
-static long ngx_ssl_protocols[] = {
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
- SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
- SSL_OP_NO_SSLv3,
- SSL_OP_NO_SSLv2,
- 0,
-};
-
-
int ngx_ssl_connection_index;
int ngx_ssl_server_conf_index;
int ngx_ssl_session_cache_index;
@@ -103,8 +91,6 @@
SSL_library_init();
SSL_load_error_strings();
- ENGINE_load_builtin_engines();
-
OpenSSL_add_all_algorithms();
ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
@@ -171,9 +157,25 @@
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
- if (ngx_ssl_protocols[protocols >> 1] != 0) {
- SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
+ if (!(protocols & NGX_SSL_SSLv2)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
+ if (!(protocols & NGX_SSL_SSLv3)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
+ }
+ if (!(protocols & NGX_SSL_TLSv1)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
+ }
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!(protocols & NGX_SSL_TLSv1_1)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!(protocols & NGX_SSL_TLSv1_2)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
Modified: branches/stable-1.0/src/event/ngx_event_openssl.h
===================================================================
--- branches/stable-1.0/src/event/ngx_event_openssl.h 2012-02-05 19:06:52 UTC (rev 4446)
+++ branches/stable-1.0/src/event/ngx_event_openssl.h 2012-02-05 19:15:09 UTC (rev 4447)
@@ -81,9 +81,11 @@
-#define NGX_SSL_SSLv2 2
-#define NGX_SSL_SSLv3 4
-#define NGX_SSL_TLSv1 8
+#define NGX_SSL_SSLv2 0x0002
+#define NGX_SSL_SSLv3 0x0004
+#define NGX_SSL_TLSv1 0x0008
+#define NGX_SSL_TLSv1_1 0x0010
+#define NGX_SSL_TLSv1_2 0x0020
#define NGX_SSL_BUFFER 1
Modified: branches/stable-1.0/src/http/modules/ngx_http_proxy_module.c
===================================================================
--- branches/stable-1.0/src/http/modules/ngx_http_proxy_module.c 2012-02-05 19:06:52 UTC (rev 4446)
+++ branches/stable-1.0/src/http/modules/ngx_http_proxy_module.c 2012-02-05 19:15:09 UTC (rev 4447)
@@ -2766,7 +2766,9 @@
plcf->upstream.ssl->log = cf->log;
if (ngx_ssl_create(plcf->upstream.ssl,
- NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
+ NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
+ NULL)
!= NGX_OK)
{
return NGX_ERROR;
Modified: branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c 2012-02-05 19:06:52 UTC (rev 4446)
+++ branches/stable-1.0/src/http/modules/ngx_http_ssl_module.c 2012-02-05 19:15:09 UTC (rev 4447)
@@ -37,6 +37,8 @@
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+ { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 }
};
@@ -364,7 +366,8 @@
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
Modified: branches/stable-1.0/src/mail/ngx_mail_ssl_module.c
===================================================================
--- branches/stable-1.0/src/mail/ngx_mail_ssl_module.c 2012-02-05 19:06:52 UTC (rev 4446)
+++ branches/stable-1.0/src/mail/ngx_mail_ssl_module.c 2012-02-05 19:15:09 UTC (rev 4447)
@@ -37,6 +37,8 @@
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+ { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 }
};
@@ -206,7 +208,8 @@
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
More information about the nginx-devel
mailing list