Welcome! Log In Create A New Profile

Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function

Forum List Message List New Topic Print View

Maxim Dounin

July 07, 2014 07:34PM

Hello!

On Mon, Jul 07, 2014 at 03:02:14PM -0700, Piotr Sikora wrote:

> Hey Maxim,
>
> > It's marked as deprecated in master branch, but not in the latest
> > release. Try looking into the latest release docs, 1.0.1h -
> > doc/crypto/RSA_generate_key.pod doesn't even mention
> > RSA_generate_key_ex.
>
> It's been deprecated before OpenSSL-0.9.8 release, see git history [1].

Correct link is:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9224c717711eefb30038c9b37c69795dda93c9a

And it looks like the only rationale for deprecation is a new
interface introduced.

> OpenSSL's documentation is terrible source of information and that's
> not news - nginx itself is using a lot of undocumented functions,
> especially in the OCSP stapling code.

It's not about quality of OpenSSL's documentation, it's about the
fact that OpenSSL itself doesn't care about said deprecation.

> > Sure, it can and likely will be helpful. In this particular case
> > the replacement code seems to be too long though. For
> > development needs, it will probably be enough to just return NULL
> > if OPENSSL_NO_DEPRECATED is defined.
>
> Sigh, I really don't think that the amount of code is really a problem
> here... But if you're really unhappy with it, maybe let's just remove

The amount of code is certainly a problem, and it indicates that
the "new" interface, uhm, have problems.

> the callback altogether? It's not like it's used with nginx's default
> ciphers list and I'm not aware of anything since Windows NT 4.0 that
> would require it.

I don't think it's time to remove it, but as I previously said, I
will be fine with something like this:

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -652,12 +652,16 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
{
static RSA *key;

+#ifndef OPENSSL_NO_DEPRECATED
+
if (key_length == 512) {
if (key == NULL) {
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
}
}

+#endif
+
return key;
}

This won't change anything for normal builds, but will allow test
builds with OPENSSL_NO_DEPRECATED defined.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 1 of 4] SSL: include correct OpenSSL headers	Piotr Sikora	662	July 06, 2014 07:52PM
[PATCH 2 of 4] SSL: return temporary RSA key only when the key length matches	Piotr Sikora	354	July 06, 2014 07:52PM
[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	393	July 06, 2014 07:52PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	373	July 06, 2014 09:14PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	337	July 06, 2014 10:18PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	638	July 07, 2014 09:06AM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	351	July 07, 2014 06:04PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	522	July 07, 2014 07:34PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	290	July 08, 2014 06:24AM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	446	July 08, 2014 09:52PM
[PATCH 4 of 4] SSL: stop accessing SSL_SESSION's fields directly	Piotr Sikora	418	July 06, 2014 07:52PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 139

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018