[PATCH] New directive to configure TLSv1.3 ciphers

Ramprasad Tamilselvan ramprasad.tamilselvan at quantil.com
Thu Nov 15 01:24:52 UTC 2018


# HG changeset patch
# User Ramprasad Tamilselvan <ramprasad.tamilselvan at quantil.com>
# Date 1542241466 28800
#      Wed Nov 14 16:24:26 2018 -0800
# Node ID 83b05772dbd657b31df16d712a64c908c371f0d9
# Parent  4698cede59ffa438bcae1fd6c5d8fec4d69b2c92
New directive to configure TLSv1.3 ciphers.

In openssl 1.1.1, a new API is introduced to configure ciphers
for TLSv1.3. A new directive ssl_ciphersuites will call the new
API to configure the ciphers for TLSv1.3.

diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.c	Wed Nov 14 16:24:26 2018 -0800
@@ -660,8 +660,20 @@
 
 ngx_int_t
 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
-    ngx_uint_t prefer_server_ciphers)
+    ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers)
 {
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+    /* set cipher as "" so that SSL_CTX_set_cipher_list can detect
+     * any invalid ciphers */
+    if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) "") == 0) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set_ciphersuites(\"%V\") failed",
+                      ciphersuites);
+        return NGX_ERROR;
+    }
+#endif
+
     if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                       "SSL_CTX_set_cipher_list(\"%V\") failed",
@@ -669,6 +681,16 @@
         return NGX_ERROR;
     }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+    /* set ciphers for TLSv1.3 */
+    if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) ciphersuites->data) == 0) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set_ciphersuites(\"%V\") failed",
+                      ciphersuites);
+        return NGX_ERROR;
+    }
+#endif
+
     if (prefer_server_ciphers) {
         SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.h	Wed Nov 14 16:24:26 2018 -0800
@@ -165,7 +165,7 @@
 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
-    ngx_uint_t prefer_server_ciphers);
+    ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers);
 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 
 typedef struct {
     ngx_array_t               *flushes;
@@ -31,6 +34,7 @@
     ngx_uint_t                 ssl;
     ngx_uint_t                 ssl_protocols;
     ngx_str_t                  ssl_ciphers;
+    ngx_str_t                  ssl_ciphersuites;
     ngx_uint_t                 ssl_verify_depth;
     ngx_str_t                  ssl_trusted_certificate;
     ngx_str_t                  ssl_crl;
@@ -365,6 +369,13 @@
       offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("grpc_ssl_ciphersuites"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphersuites),
+      NULL },
+
     { ngx_string("grpc_ssl_name"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_http_set_complex_value_slot,
@@ -4165,6 +4176,7 @@
      *     conf->ssl = 0;
      *     conf->ssl_protocols = 0;
      *     conf->ssl_ciphers = { 0, NULL };
+     *     conf->ssl_ciphersuites = { 0, NULL };
      *     conf->ssl_trusted_certificate = { 0, NULL };
      *     conf->ssl_crl = { 0, NULL };
      *     conf->ssl_certificate = { 0, NULL };
@@ -4280,6 +4292,9 @@
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
 
+    ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+                             NGX_DEFAULT_CIPHERSUITES);
+
     if (conf->upstream.ssl_name == NULL) {
         conf->upstream.ssl_name = prev->upstream.ssl_name;
     }
@@ -4673,7 +4688,8 @@
         }
     }
 
-    if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+    if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 
+                        &glcf->ssl_ciphersuites, 0)
         != NGX_OK)
     {
         return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 
 typedef struct {
     ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
@@ -94,6 +97,7 @@
     ngx_uint_t                     ssl;
     ngx_uint_t                     ssl_protocols;
     ngx_str_t                      ssl_ciphers;
+    ngx_str_t                      ssl_ciphersuites;
     ngx_uint_t                     ssl_verify_depth;
     ngx_str_t                      ssl_trusted_certificate;
     ngx_str_t                      ssl_crl;
@@ -659,6 +663,13 @@
       offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("proxy_ssl_ciphersuites"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphersuites),
+      NULL },
+
     { ngx_string("proxy_ssl_name"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_http_set_complex_value_slot,
@@ -2825,6 +2836,7 @@
      *     conf->ssl = 0;
      *     conf->ssl_protocols = 0;
      *     conf->ssl_ciphers = { 0, NULL };
+     *     conf->ssl_ciphersuites = { 0, NULL };
      *     conf->ssl_trusted_certificate = { 0, NULL };
      *     conf->ssl_crl = { 0, NULL };
      *     conf->ssl_certificate = { 0, NULL };
@@ -3208,6 +3220,9 @@
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
 
+    ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+                             NGX_DEFAULT_CIPHERSUITES);
+
     if (conf->upstream.ssl_name == NULL) {
         conf->upstream.ssl_name = prev->upstream.ssl_name;
     }
@@ -4293,7 +4308,8 @@
         }
     }
 
-    if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+    if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers,
+                        &plcf->ssl_ciphersuites, 0)
         != NGX_OK)
     {
         return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -16,6 +16,9 @@
 
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
 #define NGX_DEFAULT_ECDH_CURVE  "auto"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 
 #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
 
@@ -133,6 +136,13 @@
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, ciphers),
       NULL },
+    
+    { ngx_string("ssl_ciphersuites"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, ciphersuites),
+      NULL },
 
     { ngx_string("ssl_buffer_size"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +566,7 @@
      *     sscf->trusted_certificate = { 0, NULL };
      *     sscf->crl = { 0, NULL };
      *     sscf->ciphers = { 0, NULL };
+     *     sscf->ciphersuites = { 0, NULL };
      *     sscf->shm_zone = NULL;
      *     sscf->stapling_file = { 0, NULL };
      *     sscf->stapling_responder = { 0, NULL };
@@ -637,6 +648,9 @@
 
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
+    ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+                             NGX_DEFAULT_CIPHERSUITES);
+
     ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
     ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
@@ -734,7 +748,7 @@
         return NGX_CONF_ERROR;
     }
 
-    if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+    if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
                         conf->prefer_server_ciphers)
         != NGX_OK)
     {
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h	Wed Nov 14 16:24:26 2018 -0800
@@ -44,6 +44,8 @@
 
     ngx_str_t                       ciphers;
 
+    ngx_str_t                       ciphersuites;
+
     ngx_array_t                    *passwords;
 
     ngx_shm_zone_t                 *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 
 typedef struct {
     ngx_array_t                caches;  /* ngx_http_file_cache_t * */
@@ -51,6 +54,7 @@
     ngx_uint_t                 ssl;
     ngx_uint_t                 ssl_protocols;
     ngx_str_t                  ssl_ciphers;
+    ngx_str_t                  ssl_ciphersuites;
     ngx_uint_t                 ssl_verify_depth;
     ngx_str_t                  ssl_trusted_certificate;
     ngx_str_t                  ssl_crl;
@@ -497,6 +501,13 @@
       offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("uwsgi_ssl_ciphersuites"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphersuites),
+      NULL },
+
     { ngx_string("uwsgi_ssl_name"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_http_set_complex_value_slot,
@@ -1773,6 +1784,9 @@
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
 
+    ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+                             NGX_DEFAULT_CIPHERSUITES);
+
     if (conf->upstream.ssl_name == NULL) {
         conf->upstream.ssl_name = prev->upstream.ssl_name;
     }
@@ -2382,7 +2396,8 @@
         }
     }
 
-    if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+    if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers,
+                        &uwcf->ssl_ciphersuites, 0)
         != NGX_OK)
     {
         return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
 
 
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 #define NGX_DEFAULT_ECDH_CURVE  "auto"
 
 
@@ -126,6 +129,13 @@
       offsetof(ngx_mail_ssl_conf_t, ciphers),
       NULL },
 
+    { ngx_string("ssl_ciphersuites"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, ciphersuites),
+      NULL },
+
     { ngx_string("ssl_prefer_server_ciphers"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
       ngx_conf_set_flag_slot,
@@ -251,6 +261,7 @@
      *     scf->trusted_certificate = { 0, NULL };
      *     scf->crl = { 0, NULL };
      *     scf->ciphers = { 0, NULL };
+     *     scf->ciphersuites = { 0, NULL };
      *     scf->shm_zone = NULL;
      */
 
@@ -316,6 +327,9 @@
 
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
+    ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites, 
+                             NGX_DEFAULT_CIPHERSUITES);
+
 
     conf->ssl.log = cf->log;
 
@@ -412,7 +426,7 @@
         }
     }
 
-    if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+    if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
                         conf->prefer_server_ciphers)
         != NGX_OK)
     {
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.h	Wed Nov 14 16:24:26 2018 -0800
@@ -47,6 +47,8 @@
 
     ngx_str_t        ciphers;
 
+    ngx_str_t        ciphersuites;
+
     ngx_array_t     *passwords;
 
     ngx_shm_zone_t  *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_proxy_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
 #include <ngx_core.h>
 #include <ngx_stream.h>
 
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 
 typedef struct {
     ngx_addr_t                      *addr;
@@ -39,6 +42,7 @@
     ngx_flag_t                       ssl_session_reuse;
     ngx_uint_t                       ssl_protocols;
     ngx_str_t                        ssl_ciphers;
+    ngx_str_t                        ssl_ciphersuites;
     ngx_stream_complex_value_t      *ssl_name;
     ngx_flag_t                       ssl_server_name;
 
@@ -268,6 +272,13 @@
       offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("proxy_ssl_ciphersuites"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphersuites),
+      NULL },
+
     { ngx_string("proxy_ssl_name"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
       ngx_stream_set_complex_value_slot,
@@ -1945,6 +1956,7 @@
      *
      *     conf->ssl_protocols = 0;
      *     conf->ssl_ciphers = { 0, NULL };
+     *     conf->ssl_ciphersuites = { 0, NULL };
      *     conf->ssl_name = NULL;
      *     conf->ssl_trusted_certificate = { 0, NULL };
      *     conf->ssl_crl = { 0, NULL };
@@ -2038,6 +2050,9 @@
 
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
 
+    ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+                             NGX_DEFAULT_CIPHERSUITES);
+
     if (conf->ssl_name == NULL) {
         conf->ssl_name = prev->ssl_name;
     }
@@ -2115,7 +2130,9 @@
         }
     }
 
-    if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+    if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 
+                        &pscf->ssl_ciphersuites, 0) 
+        != NGX_OK) {
         return NGX_ERROR;
     }
 
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.c	Wed Nov 14 16:24:26 2018 -0800
@@ -15,6 +15,9 @@
 
 
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+                                 ":TLS_CHACHA20_POLY1305_SHA256" \
+                                 ":TLS_AES_128_GCM_SHA256"
 #define NGX_DEFAULT_ECDH_CURVE  "auto"
 
 
@@ -117,6 +120,13 @@
       offsetof(ngx_stream_ssl_conf_t, ciphers),
       NULL },
 
+    { ngx_string("ssl_ciphersuites"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      offsetof(ngx_stream_ssl_conf_t, ciphersuites),
+      NULL },
+
     { ngx_string("ssl_verify_client"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_enum_slot,
@@ -511,6 +521,7 @@
      *     scf->trusted_certificate = { 0, NULL };
      *     scf->crl = { 0, NULL };
      *     scf->ciphers = { 0, NULL };
+     *     scf->ciphersuites = { 0, NULL };
      *     scf->shm_zone = NULL;
      */
 
@@ -573,6 +584,9 @@
 
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
+    ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites, 
+                             NGX_DEFAULT_CIPHERSUITES);
+
 
     conf->ssl.log = cf->log;
 
@@ -627,7 +641,7 @@
     }
 
     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
-                        conf->prefer_server_ciphers)
+                        &conf->ciphersuites, conf->prefer_server_ciphers)
         != NGX_OK)
     {
         return NGX_CONF_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h	Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.h	Wed Nov 14 16:24:26 2018 -0800
@@ -42,6 +42,8 @@
 
     ngx_str_t        ciphers;
 
+    ngx_str_t        ciphersuites;
+
     ngx_array_t     *passwords;
 
     ngx_shm_zone_t  *shm_zone;


More information about the nginx-devel mailing list