[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases
Piotr Sikora
piotr at cloudflare.com
Wed Oct 29 19:18:35 UTC 2014
Hey Sergey,
> How so? It is not about adding error handling support for yet another format,
> because it was already there but was broken for the same reason after 1.0.1j.
Oh, I see. I misread your original comment and I thought you were
adding support for it.
> Below is an updated patch with fixed header inclusion I’d like to commit.
>
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1414150080 25200
> # Fri Oct 24 04:28:00 2014 -0700
> # Node ID 8316cb9139f5f5b0fb39969006d68708f22f312d
> # Parent 973fded4f461f3a397779b3a1dc80881b1b34974
> SSL: make ssl_password_file work with recent OpenSSL releases.
>
> Multiple passwords in a single ssl_password_file feature was broken after
> recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).
>
> Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Oct 15 22:57:23 2014 +0400
> +++ b/src/event/ngx_event_openssl.c Fri Oct 24 04:28:00 2014 -0700
> @@ -410,8 +410,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
> if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
> && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
> #else
> - if (ERR_GET_LIB(n) == ERR_LIB_EVP
> - && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
> + if ((ERR_GET_LIB(n) == ERR_LIB_PEM
> + && ERR_GET_REASON(n) == PEM_R_BAD_DECRYPT)
> + || (ERR_GET_LIB(n) == ERR_LIB_EVP
> + && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
> + || (ERR_GET_LIB(n) == ERR_LIB_PKCS12
> + && ERR_GET_REASON(n) == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
> #endif
> {
> ERR_clear_error();
> diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h Wed Oct 15 22:57:23 2014 +0400
> +++ b/src/event/ngx_event_openssl.h Fri Oct 24 04:28:00 2014 -0700
> @@ -25,6 +25,9 @@
> #ifndef OPENSSL_NO_OCSP
> #include <openssl/ocsp.h>
> #endif
> +#ifndef OPENSSL_IS_BORINGSSL
> +#include <openssl/pkcs12.h>
> +#endif
> #include <openssl/rand.h>
> #include <openssl/rsa.h>
> #include <openssl/x509.h>
Looks good, thanks.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list