details: http://hg.nginx.org/nginx/rev/42520df85ebb
branches:
changeset: 5892:42520df85ebb
user: Sergey Kandaurov <pluknet@nginx.com>
date: Fri Oct 24 04:28:00 2014 -0700
description:
SSL: simplified ssl_password_file error handling.

Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next password.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Reported by Piotr Sikora.

diffstat:

src/event/ngx_event_openssl.c | 17 +++--------------
1 files changed, 3 insertions(+), 14 deletions(-)

diffs (27 lines):

diff -r 87ada3ba1392 -r 42520df85ebb src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Oct 27 14:25:56 2014 -0700
+++ b/src/event/ngx_event_openssl.c Fri Oct 24 04:28:00 2014 -0700
@@ -404,20 +404,9 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
}

if (--tries) {
- n = ERR_peek_error();
-
-#ifdef OPENSSL_IS_BORINGSSL
- if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
- && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
-#else
- if (ERR_GET_LIB(n) == ERR_LIB_EVP
- && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
-#endif
- {
- ERR_clear_error();
- SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
- continue;
- }
+ ERR_clear_error();
+ SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
+ continue;
}

ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel