[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Sergey Kandaurov pluknet at nginx.com
Wed Aug 2 15:54:45 UTC 2023 

> On 25 Jul 2023, at 02:10, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1687300195 -10800
> #      Wed Jun 21 01:29:55 2023 +0300
> # Node ID b79ef48b91e45dba4bf850be6b2a2cc3b8834f5d
> # Parent  904c99bede1770d92566b56939c5b6ec85f05b55
> SSL: provided "nginx" appname when loading OpenSSL configs.
> 
> Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
> configuration section first, and then falls back to the "openssl_conf"
> default section if application-specific section is not found, by using
> CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION).  Therefore this
> change is not expected to introduce any compatibility issues with existing
> configurations.  It does, however, makes it easier to configure specific

typo: s/makes/make/

> OpenSSL settings for nginx in system-wide OpenSSL configuration
> (ticket #2449).
> 
> Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
> interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
> true, and also explicitly excludes LibreSSL.  This ensures that this interface
> is not used with BoringSSL and LibreSSL, which do not provide additional
> library initialization settings, notably the OPENSSL_INIT_set_config_appname()
> call.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -140,13 +140,31 @@ int  ngx_ssl_stapling_index;
> ngx_int_t
> ngx_ssl_init(ngx_log_t *log)
> {
> -#if OPENSSL_VERSION_NUMBER >= 0x10100003L
> -
> -    if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
> +#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)
> +
> +    OPENSSL_INIT_SETTINGS  *init;
> +
> +    init = OPENSSL_INIT_new();
> +    if (init == NULL) {
> +        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
> +        return NGX_ERROR;
> +    }
> +
> +#ifndef OPENSSL_NO_STDIO
> +    if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) {
> +        ngx_ssl_error(NGX_LOG_ALERT, log, 0,
> +                      "OPENSSL_INIT_set_config_appname() failed");
> +        return NGX_ERROR;
> +    }
> +#endif
> +
> +    if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
>         ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
>         return NGX_ERROR;
>     }
> 
> +    OPENSSL_INIT_free(init);
> +
>     /*
>      * OPENSSL_init_ssl() may leave errors in the error queue
>      * while returning success
> @@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log)
> 
> #else
> 
> -    OPENSSL_config(NULL);
> +    OPENSSL_config("nginx");
> 
>     SSL_library_init();
>     SSL_load_error_strings();

Looks good.

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list