[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Piotr Sikora piotr at cloudflare.com
Wed Oct 29 19:18:35 UTC 2014 

Hey Sergey,

> How so? It is not about adding error handling support for yet another format,
> because it was already there but was broken for the same reason after 1.0.1j.

Oh, I see. I misread your original comment and I thought you were
adding support for it.

> Below is an updated patch with fixed header inclusion I’d like to commit.
>
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1414150080 25200
> #      Fri Oct 24 04:28:00 2014 -0700
> # Node ID 8316cb9139f5f5b0fb39969006d68708f22f312d
> # Parent  973fded4f461f3a397779b3a1dc80881b1b34974
> SSL: make ssl_password_file work with recent OpenSSL releases.
>
> Multiple passwords in a single ssl_password_file feature was broken after
> recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).
>
> Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Wed Oct 15 22:57:23 2014 +0400
> +++ b/src/event/ngx_event_openssl.c     Fri Oct 24 04:28:00 2014 -0700
> @@ -410,8 +410,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
>              if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
>                  && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
>  #else
> -            if (ERR_GET_LIB(n) == ERR_LIB_EVP
> -                && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
> +            if ((ERR_GET_LIB(n) == ERR_LIB_PEM
> +                 && ERR_GET_REASON(n) == PEM_R_BAD_DECRYPT)
> +                || (ERR_GET_LIB(n) == ERR_LIB_EVP
> +                    && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
> +                || (ERR_GET_LIB(n) == ERR_LIB_PKCS12
> +                    && ERR_GET_REASON(n) == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
>  #endif
>              {
>                  ERR_clear_error();
> diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h     Wed Oct 15 22:57:23 2014 +0400
> +++ b/src/event/ngx_event_openssl.h     Fri Oct 24 04:28:00 2014 -0700
> @@ -25,6 +25,9 @@
>  #ifndef OPENSSL_NO_OCSP
>  #include <openssl/ocsp.h>
>  #endif
> +#ifndef OPENSSL_IS_BORINGSSL
> +#include <openssl/pkcs12.h>
> +#endif
>  #include <openssl/rand.h>
>  #include <openssl/rsa.h>
>  #include <openssl/x509.h>

Looks good, thanks.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list