[PATCH] SSL: make ssl_password_file work with recent OpenSSL releases
Das, Jagannath
jadas at akamai.com
Thu Oct 30 03:23:48 UTC 2014
Hi Sergey,
Are you also looking to have a fix for the POODLE vulnerability?
Thanks,
Jagannath
From: Sergey Kandaurov <pluknet at nginx.com<mailto:pluknet at nginx.com>>
Reply-To: "nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>" <nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>>
Date: Wednesday, October 29, 2014 at 11:39 PM
To: "nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>" <nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>>
Subject: Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases
On Oct 28, 2014, at 12:38 AM, Piotr Sikora <piotr at cloudflare.com<mailto:piotr at cloudflare.com>> wrote:
Also, I think that PKCS#12 support should be added in a separate
commit, instead of mixing it with semi-related fix.
How so? It is not about adding error handling support for yet another format,
because it was already there but was broken for the same reason after 1.0.1j.
Below is an updated patch with fixed header inclusion I’d like to commit.
# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com<mailto:piotr at cloudflare.com>>
# Date 1414150080 25200
# Fri Oct 24 04:28:00 2014 -0700
# Node ID 8316cb9139f5f5b0fb39969006d68708f22f312d
# Parent 973fded4f461f3a397779b3a1dc80881b1b34974
SSL: make ssl_password_file work with recent OpenSSL releases.
Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).
Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com<mailto:piotr at cloudflare.com>>
diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.c Fri Oct 24 04:28:00 2014 -0700
@@ -410,8 +410,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
&& ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
#else
- if (ERR_GET_LIB(n) == ERR_LIB_EVP
- && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+ if ((ERR_GET_LIB(n) == ERR_LIB_PEM
+ && ERR_GET_REASON(n) == PEM_R_BAD_DECRYPT)
+ || (ERR_GET_LIB(n) == ERR_LIB_EVP
+ && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+ || (ERR_GET_LIB(n) == ERR_LIB_PKCS12
+ && ERR_GET_REASON(n) == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
#endif
{
ERR_clear_error();
diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.h Fri Oct 24 04:28:00 2014 -0700
@@ -25,6 +25,9 @@
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/pkcs12.h>
+#endif
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141030/d14459b0/attachment.html>
More information about the nginx-devel
mailing list