[PATCH] Add ngx_ssl_ciphers() to set list of cipher suites in openssl module
Tim Taubert
tim at timtaubert.de
Wed Jun 15 08:39:22 UTC 2016
Thanks Maxim and Piotr,
comments inline and a new version of the patch is at the end.
Maxim Dounin wrote:
> Style nitpicking: Please use the "SSL: " prefix for SSL-related
> commits. Please use full sentences in the commit log, including
> dots. Please spell "nginx" lowercase. Please keep summary line
> under 67 symbols.
Done.
>> +ngx_int_t
>> +ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers)
>> +{
>> + if (SSL_CTX_set_cipher_list(ssl->ctx, (const char *) ciphers->data) == 0) {
>
> The "const" qualifier can be safely dropped here. And I tend to
> think it should, as I already removed "const" from all "(const char *)"
> casts found in ngx_event_openssl.c, see rev. addd98357629.
Done.
> The place choosen for the ngx_ssl_ciphers() function looks wrong,
> as ngx_ssl_password_callback() is a part of ngx_ssl_certificate()
> code. I would suggest to put it after ngx_ssl_password_callback()
> instead.
I put it after ngx_ssl_password_callback(), didn't realize that ngx_ssl_password_callback() is a part of ngx_ssl_certificate(). I think that's the right place as ngx_ssl_ciphers() is called after ngx_ssl_certificates().
>> + if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers) != NGX_OK) {
>> return NGX_CONF_ERROR;
>> }
>>
>> if (conf->prefer_server_ciphers) {
>> SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
>> }
>
> What about moving SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)
> calls to the ngx_ssl_ciphers() function as well?
Good idea, done.
# HG changeset patch
# User Tim Taubert <tim at timtaubert.de>
# Date 1465979514 -3600
# Wed Jun 15 09:31:54 2016 +0100
# Node ID 004faf919d8b4fb64240dadad36e3f9c9959fcd7
# Parent 1064ea81ed3aabb8ad422ffcc60ddcde667022ac
SSL: ngx_ssl_ciphers() to set list of ciphers.
This patch replaces all calls to SSL_CTX_set_cipher_list() with
ngx_sll_ciphers() to make nginx more crypto-library-agnostic.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -587,16 +587,34 @@ ngx_ssl_password_callback(char *buf, int
ngx_memcpy(buf, pwd->data, size);
return size;
}
ngx_int_t
+ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers)
+{
+ if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_cipher_list(\"%V\") failed",
+ ciphers);
+ return NGX_ERROR;
+ }
+
+ if (cf->prefer_server_ciphers) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
STACK_OF(X509_NAME) *list;
SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
SSL_CTX_set_verify_depth(ssl->ctx, depth);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -139,16 +139,17 @@ typedef struct {
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4318,23 +4318,17 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->ssl_certificate,
&plcf->ssl_certificate_key, plcf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
}
}
- if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
- (const char *) plcf->ssl_ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &plcf->ssl_ciphers);
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers) != NGX_OK) {
return NGX_ERROR;
}
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -684,23 +684,17 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
- if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
- (const char *) conf->ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &conf->ciphers);
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers) != NGX_OK) {
return NGX_CONF_ERROR;
}
conf->ssl.buffer_size = conf->buffer_size;
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {
@@ -725,20 +719,16 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
{
return NGX_CONF_ERROR;
}
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (conf->prefer_server_ciphers) {
- SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
-
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
#endif
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2320,23 +2320,17 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->ssl_certificate,
&uwcf->ssl_certificate_key, uwcf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
}
}
- if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
- (const char *) uwcf->ssl_ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &uwcf->ssl_ciphers);
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers) != NGX_OK) {
return NGX_ERROR;
}
if (uwcf->upstream.ssl_verify) {
if (uwcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no uwsgi_ssl_trusted_certificate for uwsgi_ssl_verify");
return NGX_ERROR;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -417,30 +417,20 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
return NGX_CONF_ERROR;
}
}
- if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
- (const char *) conf->ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &conf->ciphers);
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (conf->prefer_server_ciphers) {
- SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
-
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
#endif
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -1635,23 +1635,17 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate,
&pscf->ssl_certificate_key, pscf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
}
}
- if (SSL_CTX_set_cipher_list(pscf->ssl->ctx,
- (const char *) pscf->ssl_ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &pscf->ssl_ciphers);
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers) != NGX_OK) {
return NGX_ERROR;
}
if (pscf->ssl_verify) {
if (pscf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -261,30 +261,20 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
- if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
- (const char *) conf->ciphers.data)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &conf->ciphers);
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (conf->prefer_server_ciphers) {
- SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
-
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
#endif
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
More information about the nginx-devel
mailing list