[PATCH 2 of 6] SSL: pull common SSL defines into OpenSSL module
Piotr Sikora
piotrsikora at google.com
Thu Aug 18 00:29:23 UTC 2016
# HG changeset patch
# User Piotr Sikora <piotrsikora at google.com>
# Date 1471428980 25200
# Wed Aug 17 03:16:20 2016 -0700
# Node ID 788c6187bdbd72787ba24505731e42b6a2307be3
# Parent 653b04653271346c63ab5f3daced807228eed5ac
SSL: pull common SSL defines into OpenSSL module.
Those values are OpenSSL-specific anyway.
No binary changes (without reorder in ngx_mail_ssl_module).
Signed-off-by: Piotr Sikora <piotrsikora at google.com>
diff -r 653b04653271 -r 788c6187bdbd src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -131,6 +131,13 @@ typedef struct {
#define NGX_SSL_TLSv1_1 0x0010
#define NGX_SSL_TLSv1_2 0x0020
+#define NGX_SSL_DEFAULT_PROTOCOLS \
+ (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)
+
+#define NGX_SSL_DEFAULT_ECDH_CURVE "auto"
+#define NGX_SSL_DEFAULT_SERVER_CIPHERS "HIGH:!aNULL:!MD5"
+#define NGX_SSL_DEFAULT_CLIENT_CIPHERS "DEFAULT"
+
#define NGX_SSL_VERIFY_OFF 0
#define NGX_SSL_VERIFY_REQUIRED 1
#define NGX_SSL_VERIFY_OPTIONAL 2
diff -r 653b04653271 -r 788c6187bdbd src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3174,11 +3174,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_session_reuse, 1);
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ NGX_SSL_DEFAULT_PROTOCOLS);
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
- "DEFAULT");
+ NGX_SSL_DEFAULT_CLIENT_CIPHERS);
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
diff -r 653b04653271 -r 788c6187bdbd src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -14,9 +14,6 @@ typedef ngx_int_t (*ngx_ssl_variable_han
ngx_pool_t *pool, ngx_str_t *s);
-#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
-#define NGX_DEFAULT_ECDH_CURVE "auto"
-
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
@@ -564,8 +561,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ NGX_SSL_DEFAULT_PROTOCOLS);
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
@@ -588,9 +584,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
- NGX_DEFAULT_ECDH_CURVE);
+ NGX_SSL_DEFAULT_ECDH_CURVE);
- ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphers, prev->ciphers,
+ NGX_SSL_DEFAULT_SERVER_CIPHERS);
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
diff -r 653b04653271 -r 788c6187bdbd src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1726,11 +1726,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_session_reuse, 1);
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ NGX_SSL_DEFAULT_PROTOCOLS);
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
- "DEFAULT");
+ NGX_SSL_DEFAULT_CLIENT_CIPHERS);
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
diff -r 653b04653271 -r 788c6187bdbd src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,10 +10,6 @@
#include <ngx_mail.h>
-#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
-#define NGX_DEFAULT_ECDH_CURVE "auto"
-
-
static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
@@ -284,8 +280,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ NGX_SSL_DEFAULT_PROTOCOLS);
ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
@@ -299,7 +294,10 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
- NGX_DEFAULT_ECDH_CURVE);
+ NGX_SSL_DEFAULT_ECDH_CURVE);
+
+ ngx_conf_merge_str_value(conf->ciphers, prev->ciphers,
+ NGX_SSL_DEFAULT_SERVER_CIPHERS);
ngx_conf_merge_str_value(conf->client_certificate,
prev->client_certificate, "");
@@ -307,9 +305,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
- ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
-
-
conf->ssl.log = cf->log;
if (conf->enable) {
diff -r 653b04653271 -r 788c6187bdbd src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -1794,10 +1794,10 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf
prev->ssl_session_reuse, 1);
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
-
- ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
+ NGX_SSL_DEFAULT_PROTOCOLS);
+
+ ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
+ NGX_SSL_DEFAULT_CLIENT_CIPHERS);
if (conf->ssl_name == NULL) {
conf->ssl_name = prev->ssl_name;
diff -r 653b04653271 -r 788c6187bdbd src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -14,10 +14,6 @@ typedef ngx_int_t (*ngx_ssl_variable_han
ngx_pool_t *pool, ngx_str_t *s);
-#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
-#define NGX_DEFAULT_ECDH_CURVE "auto"
-
-
static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s,
ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_variable(ngx_stream_session_t *s,
@@ -327,8 +323,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ NGX_SSL_DEFAULT_PROTOCOLS);
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
@@ -339,10 +334,10 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
- NGX_DEFAULT_ECDH_CURVE);
+ NGX_SSL_DEFAULT_ECDH_CURVE);
- ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
-
+ ngx_conf_merge_str_value(conf->ciphers, prev->ciphers,
+ NGX_SSL_DEFAULT_SERVER_CIPHERS);
conf->ssl.log = cf->log;
More information about the nginx-devel
mailing list