[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Maxim Dounin mdounin at mdounin.ru
Wed Aug 2 18:17:00 UTC 2023 

Hello!

On Wed, Aug 02, 2023 at 06:54:45PM +0300, Sergey Kandaurov wrote:

> > On 25 Jul 2023, at 02:10, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1687300195 -10800
> > #      Wed Jun 21 01:29:55 2023 +0300
> > # Node ID b79ef48b91e45dba4bf850be6b2a2cc3b8834f5d
> > # Parent  904c99bede1770d92566b56939c5b6ec85f05b55
> > SSL: provided "nginx" appname when loading OpenSSL configs.
> > 
> > Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
> > configuration section first, and then falls back to the "openssl_conf"
> > default section if application-specific section is not found, by using
> > CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION).  Therefore this
> > change is not expected to introduce any compatibility issues with existing
> > configurations.  It does, however, makes it easier to configure specific
> 
> typo: s/makes/make/

Fixed, thnx.

> 
> > OpenSSL settings for nginx in system-wide OpenSSL configuration
> > (ticket #2449).
> > 
> > Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
> > interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
> > true, and also explicitly excludes LibreSSL.  This ensures that this interface
> > is not used with BoringSSL and LibreSSL, which do not provide additional
> > library initialization settings, notably the OPENSSL_INIT_set_config_appname()
> > call.
> > 
> > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> > --- a/src/event/ngx_event_openssl.c
> > +++ b/src/event/ngx_event_openssl.c
> > @@ -140,13 +140,31 @@ int  ngx_ssl_stapling_index;
> > ngx_int_t
> > ngx_ssl_init(ngx_log_t *log)
> > {
> > -#if OPENSSL_VERSION_NUMBER >= 0x10100003L
> > -
> > -    if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
> > +#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)
> > +
> > +    OPENSSL_INIT_SETTINGS  *init;
> > +
> > +    init = OPENSSL_INIT_new();
> > +    if (init == NULL) {
> > +        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
> > +        return NGX_ERROR;
> > +    }
> > +
> > +#ifndef OPENSSL_NO_STDIO
> > +    if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) {
> > +        ngx_ssl_error(NGX_LOG_ALERT, log, 0,
> > +                      "OPENSSL_INIT_set_config_appname() failed");
> > +        return NGX_ERROR;
> > +    }
> > +#endif
> > +
> > +    if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
> >         ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
> >         return NGX_ERROR;
> >     }
> > 
> > +    OPENSSL_INIT_free(init);
> > +
> >     /*
> >      * OPENSSL_init_ssl() may leave errors in the error queue
> >      * while returning success
> > @@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log)
> > 
> > #else
> > 
> > -    OPENSSL_config(NULL);
> > +    OPENSSL_config("nginx");
> > 
> >     SSL_library_init();
> >     SSL_load_error_strings();
> 
> Looks good.

Pushed to http://mdounin.ru/hg/nginx, thanks.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list