|
|
67ea12 |
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
|
|
67ea12 |
index 570abd7..ac37936 100644
|
|
|
67ea12 |
--- a/src/event/ngx_event_openssl.c
|
|
|
67ea12 |
+++ b/src/event/ngx_event_openssl.c
|
|
|
67ea12 |
@@ -232,6 +232,8 @@ ngx_ssl_init(ngx_log_t *log)
|
|
|
67ea12 |
ngx_int_t
|
|
|
67ea12 |
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
|
67ea12 |
{
|
|
|
67ea12 |
+ ngx_uint_t prot = NGX_SSL_NO_PROT;
|
|
|
67ea12 |
+
|
|
|
67ea12 |
ssl->ctx = SSL_CTX_new(SSLv23_method());
|
|
|
67ea12 |
|
|
|
67ea12 |
if (ssl->ctx == NULL) {
|
|
|
67ea12 |
@@ -296,39 +298,53 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
|
67ea12 |
|
|
|
67ea12 |
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
|
|
|
67ea12 |
|
|
|
67ea12 |
-#ifdef SSL_CTRL_CLEAR_OPTIONS
|
|
|
67ea12 |
- /* only in 0.9.8m+ */
|
|
|
67ea12 |
- SSL_CTX_clear_options(ssl->ctx,
|
|
|
67ea12 |
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
|
|
|
67ea12 |
+ if (protocols){
|
|
|
67ea12 |
+#ifdef SSL_OP_NO_TLSv1_3
|
|
|
67ea12 |
+ if (protocols & NGX_SSL_TLSv1_3) {
|
|
|
67ea12 |
+ prot = TLS1_3_VERSION;
|
|
|
67ea12 |
+ } else
|
|
|
67ea12 |
+#endif
|
|
|
67ea12 |
+#ifdef SSL_OP_NO_TLSv1_2
|
|
|
67ea12 |
+ if (protocols & NGX_SSL_TLSv1_2) {
|
|
|
67ea12 |
+ prot = TLS1_2_VERSION;
|
|
|
67ea12 |
+ } else
|
|
|
67ea12 |
+#endif
|
|
|
67ea12 |
+#ifdef SSL_OP_NO_TLSv1_1
|
|
|
67ea12 |
+ if (protocols & NGX_SSL_TLSv1_1) {
|
|
|
67ea12 |
+ prot = TLS1_1_VERSION;
|
|
|
67ea12 |
+ } else
|
|
|
67ea12 |
#endif
|
|
|
67ea12 |
+ if (protocols & NGX_SSL_TLSv1) {
|
|
|
67ea12 |
+ prot = TLS1_VERSION;
|
|
|
67ea12 |
+ }
|
|
|
67ea12 |
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_SSLv2)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
|
|
|
67ea12 |
- }
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_SSLv3)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
|
|
|
67ea12 |
- }
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_TLSv1)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
|
|
|
67ea12 |
- }
|
|
|
67ea12 |
+ if (prot == NGX_SSL_NO_PROT) {
|
|
|
67ea12 |
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
|
67ea12 |
+ "No SSL protocols available [hint: ssl_protocols]");
|
|
|
67ea12 |
+ return NGX_ERROR;
|
|
|
67ea12 |
+ }
|
|
|
67ea12 |
+
|
|
|
67ea12 |
+ SSL_CTX_set_max_proto_version(ssl->ctx, prot);
|
|
|
67ea12 |
+
|
|
|
67ea12 |
+ /* Now, we have to scan for minimal protocol version,
|
|
|
67ea12 |
+ *without allowing holes between min and max*/
|
|
|
67ea12 |
+#if SSL_OP_NO_TLSv1_3
|
|
|
67ea12 |
+ if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
|
|
|
67ea12 |
+ prot = TLS1_2_VERSION;
|
|
|
67ea12 |
+ }
|
|
|
67ea12 |
+#endif
|
|
|
67ea12 |
#ifdef SSL_OP_NO_TLSv1_1
|
|
|
67ea12 |
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_TLSv1_1)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
|
|
|
67ea12 |
- }
|
|
|
67ea12 |
+ if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
|
|
|
67ea12 |
+ prot = TLS1_1_VERSION;
|
|
|
67ea12 |
+ }
|
|
|
67ea12 |
#endif
|
|
|
67ea12 |
#ifdef SSL_OP_NO_TLSv1_2
|
|
|
67ea12 |
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_TLSv1_2)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
|
|
|
67ea12 |
- }
|
|
|
67ea12 |
+ if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
|
|
|
67ea12 |
+ prot = TLS1_VERSION;
|
|
|
67ea12 |
+ }
|
|
|
67ea12 |
#endif
|
|
|
67ea12 |
-#ifdef SSL_OP_NO_TLSv1_3
|
|
|
67ea12 |
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
|
|
|
67ea12 |
- if (!(protocols & NGX_SSL_TLSv1_3)) {
|
|
|
67ea12 |
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
|
|
|
67ea12 |
+ SSL_CTX_set_min_proto_version(ssl->ctx, prot);
|
|
|
67ea12 |
}
|
|
|
67ea12 |
-#endif
|
|
|
67ea12 |
|
|
|
67ea12 |
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
67ea12 |
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
|
|
|
67ea12 |
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
|
|
|
67ea12 |
index 623d851..6f3d7ee 100644
|
|
|
67ea12 |
--- a/src/event/ngx_event_openssl.h
|
|
|
67ea12 |
+++ b/src/event/ngx_event_openssl.h
|
|
|
67ea12 |
@@ -132,6 +132,7 @@ typedef struct {
|
|
|
67ea12 |
#endif
|
|
|
67ea12 |
|
|
|
67ea12 |
|
|
|
67ea12 |
+#define NGX_SSL_NO_PROT 0x0000
|
|
|
67ea12 |
#define NGX_SSL_SSLv2 0x0002
|
|
|
67ea12 |
#define NGX_SSL_SSLv3 0x0004
|
|
|
67ea12 |
#define NGX_SSL_TLSv1 0x0008
|
|
|
67ea12 |
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
|
|
|
67ea12 |
index 7d62176..f9ef07d 100644
|
|
|
67ea12 |
--- a/src/http/modules/ngx_http_ssl_module.c
|
|
|
67ea12 |
+++ b/src/http/modules/ngx_http_ssl_module.c
|
|
|
67ea12 |
@@ -590,8 +588,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
|
67ea12 |
prev->prefer_server_ciphers, 0);
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
|
|
67ea12 |
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
|
|
67ea12 |
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
|
|
67ea12 |
+ 0)
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
|
|
|
67ea12 |
NGX_SSL_BUFSIZE);
|
|
|
67ea12 |
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
|
|
|
67ea12 |
index aebd179..50c7023 100644
|
|
|
67ea12 |
--- a/src/mail/ngx_mail_ssl_module.c
|
|
|
67ea12 |
+++ b/src/mail/ngx_mail_ssl_module.c
|
|
|
67ea12 |
@@ -285,8 +283,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
|
67ea12 |
prev->prefer_server_ciphers, 0);
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
|
|
67ea12 |
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
|
|
67ea12 |
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
|
|
67ea12 |
+ 0);
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
|
|
67ea12 |
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|
|
|
67ea12 |
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
|
|
|
67ea12 |
index 3e5a1f2..c8fce57 100644
|
|
|
67ea12 |
--- a/src/stream/ngx_stream_ssl_module.c
|
|
|
67ea12 |
+++ b/src/stream/ngx_stream_ssl_module.c
|
|
|
67ea12 |
@@ -554,8 +552,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
|
67ea12 |
prev->prefer_server_ciphers, 0);
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
|
|
67ea12 |
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
|
|
67ea12 |
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
|
|
67ea12 |
+ 0);
|
|
|
67ea12 |
|
|
|
67ea12 |
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
|
|
67ea12 |
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|