Welcome! Log In Create A New Profile

[nginx] svn commit: r4401 - in trunk/src: event http/modules mail

Forum List Message List New Topic Print View

Anonymous User

January 11, 2012 06:16AM

Author: mdounin
Date: 2012-01-11 11:15:00 +0000 (Wed, 11 Jan 2012)
New Revision: 4401

Log:
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.

Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1
(-beta1 was recently released). This change makes it possible to disable
these protocols and/or enable them without other protocols.

Modified:
trunk/src/event/ngx_event_openssl.c
trunk/src/event/ngx_event_openssl.h
trunk/src/http/modules/ngx_http_proxy_module.c
trunk/src/http/modules/ngx_http_ssl_module.c
trunk/src/mail/ngx_mail_ssl_module.c

Modified: trunk/src/event/ngx_event_openssl.c
===================================================================
--- trunk/src/event/ngx_event_openssl.c 2012-01-11 11:09:05 UTC (rev 4400)
+++ trunk/src/event/ngx_event_openssl.c 2012-01-11 11:15:00 UTC (rev 4401)
@@ -78,18 +78,6 @@
};

-static long ngx_ssl_protocols[] = {
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1,
- SSL_OP_NO_TLSv1,
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3,
- SSL_OP_NO_SSLv3,
- SSL_OP_NO_SSLv2,
- 0,
-};
-
-
int ngx_ssl_connection_index;
int ngx_ssl_server_conf_index;
int ngx_ssl_session_cache_index;
@@ -171,9 +159,25 @@

SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);

- if (ngx_ssl_protocols[protocols >> 1] != 0) {
- SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
+ if (!(protocols & NGX_SSL_SSLv2)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
+ if (!(protocols & NGX_SSL_SSLv3)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
+ }
+ if (!(protocols & NGX_SSL_TLSv1)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
+ }
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!(protocols & NGX_SSL_TLSv1_1)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!(protocols & NGX_SSL_TLSv1_2)) {
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif

#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);

Modified: trunk/src/event/ngx_event_openssl.h
===================================================================
--- trunk/src/event/ngx_event_openssl.h 2012-01-11 11:09:05 UTC (rev 4400)
+++ trunk/src/event/ngx_event_openssl.h 2012-01-11 11:15:00 UTC (rev 4401)
@@ -81,9 +81,11 @@

-#define NGX_SSL_SSLv2 2
-#define NGX_SSL_SSLv3 4
-#define NGX_SSL_TLSv1 8
+#define NGX_SSL_SSLv2 0x0002
+#define NGX_SSL_SSLv3 0x0004
+#define NGX_SSL_TLSv1 0x0008
+#define NGX_SSL_TLSv1_1 0x0010
+#define NGX_SSL_TLSv1_2 0x0020

#define NGX_SSL_BUFFER 1

Modified: trunk/src/http/modules/ngx_http_proxy_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_proxy_module.c 2012-01-11 11:09:05 UTC (rev 4400)
+++ trunk/src/http/modules/ngx_http_proxy_module.c 2012-01-11 11:15:00 UTC (rev 4401)
@@ -3598,7 +3598,9 @@
plcf->upstream.ssl->log = cf->log;

if (ngx_ssl_create(plcf->upstream.ssl,
- NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
+ NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
+ NULL)
!= NGX_OK)
{
return NGX_ERROR;

Modified: trunk/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.c 2012-01-11 11:09:05 UTC (rev 4400)
+++ trunk/src/http/modules/ngx_http_ssl_module.c 2012-01-11 11:15:00 UTC (rev 4401)
@@ -37,6 +37,8 @@
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+ { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 }
};

@@ -364,7 +366,8 @@
prev->prefer_server_ciphers, 0);

ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));

ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

Modified: trunk/src/mail/ngx_mail_ssl_module.c
===================================================================
--- trunk/src/mail/ngx_mail_ssl_module.c 2012-01-11 11:09:05 UTC (rev 4400)
+++ trunk/src/mail/ngx_mail_ssl_module.c 2012-01-11 11:15:00 UTC (rev 4401)
@@ -37,6 +37,8 @@
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+ { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 }
};

@@ -206,7 +208,8 @@
prev->prefer_server_ciphers, 0);

ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));

ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] svn commit: r4401 - in trunk/src: event http/modules mail	Anonymous User	1471	January 11, 2012 06:16AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 300

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018