details: http://hg.nginx.org/nginx/rev/a84267233877
branches:
changeset: 6035:a84267233877
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Mar 23 02:42:34 2015 +0300
description:
SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.

LibreSSL removed support for export ciphers and a call to
SSL_CTX_set_tmp_rsa_callback() results in an error left in the error
queue. This caused alerts "ignoring stale global SSL error (...called
a function you should not call) while SSL handshaking" on a first connection
in each worker process.

diffstat:

src/http/modules/ngx_http_ssl_module.c | 2 ++
src/mail/ngx_mail_ssl_module.c | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)

diffs (27 lines):

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -715,8 +715,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

+#ifndef LIBRESSL_VERSION_NUMBER
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif

if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -421,7 +421,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

+#ifndef LIBRESSL_VERSION_NUMBER
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif

if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel