[nginx] SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 4 13:36:57 UTC 2018
details: https://hg.nginx.org/nginx/rev/ea3f1f9af72c
branches: stable-1.14
changeset: 7414:ea3f1f9af72c
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Jul 16 17:47:20 2018 +0300
description:
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used. Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.
It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.
diffstat:
src/event/ngx_event_openssl.c | 2 +-
src/http/ngx_http_request.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diffs (24 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -296,7 +296,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
/* only in 0.9.8m+ */
SSL_CTX_clear_options(ssl->ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -923,7 +923,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
/* only in 0.9.8m+ */
SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
~SSL_CTX_get_options(sscf->ssl.ctx));
More information about the nginx-devel
mailing list