[PATCH 2 of 2] SSL: let it build against LibreSSL

Piotr Sikora piotr at cloudflare.com
Wed Jul 30 11:42:10 UTC 2014 

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1406719936 25200
#      Wed Jul 30 04:32:16 2014 -0700
# Node ID 2c5ac97b08f64bd50c5ec52e2f2e3ca8d787fc10
# Parent  3a647f0d5104612c7fa5c9cc1245057a4c0a3dc2
SSL: let it build against LibreSSL.

LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
necessary, but support for the export cipher suites has been removed
from LibreSSL, so they clearly mark the unsupported feature.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 3a647f0d5104 -r 2c5ac97b08f6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Jul 30 04:32:15 2014 -0700
+++ b/src/event/ngx_event_openssl.c	Wed Jul 30 04:32:16 2014 -0700
@@ -50,7 +50,7 @@ static int ngx_ssl_session_ticket_key_ca
     HMAC_CTX *hctx, int enc);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
 #endif
 
@@ -2743,7 +2743,7 @@ ngx_ssl_check_host(ngx_connection_t *c, 
         return NGX_ERROR;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L
+#if (OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined LIBRESSL_VERSION_NUMBER)
 
     /* X509_check_host() is only available in OpenSSL 1.0.2+ */
 
@@ -2860,7 +2860,7 @@ found:
 }
 
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
 
 static ngx_int_t
 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
diff -r 3a647f0d5104 -r 2c5ac97b08f6 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Wed Jul 30 04:32:15 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c	Wed Jul 30 04:32:16 2014 -0700
@@ -715,7 +715,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
     /* a temporary 512-bit RSA key is required for export versions of MSIE */
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
 #endif
diff -r 3a647f0d5104 -r 2c5ac97b08f6 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Wed Jul 30 04:32:15 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c	Wed Jul 30 04:32:16 2014 -0700
@@ -334,7 +334,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
 #endif

More information about the nginx-devel mailing list