[PATCH] SSL: support automatic selection of ECDH temporary key parameters

Maxim Dounin mdounin at mdounin.ru
Wed Apr 16 10:00:13 UTC 2014


Hello!

On Tue, Apr 15, 2014 at 12:44:37PM -0700, Piotr Sikora wrote:

> Hey Maxim,
> 
> >> - If nginx was compiled with OpenSSL 1.0.2, but used with an
> >>   older version, things will not work at all; this is not something
> >>   completely unacceptable, but it's something we may want to
> >>   avoid.
> >
> > Will look into it.
> 
> How about adding check to make sure that OpenSSL version nginx was
> built against (i.e. version info from the headers) matches the version
> from the library we're loading (i.e. version info from the runtime)?

I don't think check per se is a good idea - in particular, nginx 
should be able to start with any newer version of OpenSSL.

If there is no easy solution (like, e.g., with SNI, where we check 
SSL_CTX_set_tlsext_servername_callback() result and act 
accordingly) - there is no need to bother.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list