[PATCH] New directive to configure TLSv1.3 ciphers
|
Ramprasad Tamilselvan
November 14, 2018 08:26PM
|
# HG changeset patch
# User Ramprasad Tamilselvan <ramprasad.tamilselvan@quantil.com>
# Date 1542241466 28800
# Wed Nov 14 16:24:26 2018 -0800
# Node ID 83b05772dbd657b31df16d712a64c908c371f0d9
# Parent 4698cede59ffa438bcae1fd6c5d8fec4d69b2c92
New directive to configure TLSv1.3 ciphers.
In openssl 1.1.1, a new API is introduced to configure ciphers
for TLSv1.3. A new directive ssl_ciphersuites will call the new
API to configure the ciphers for TLSv1.3.
diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.c Wed Nov 14 16:24:26 2018 -0800
@@ -660,8 +660,20 @@
ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
- ngx_uint_t prefer_server_ciphers)
+ ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers)
{
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ /* set cipher as "" so that SSL_CTX_set_cipher_list can detect
+ * any invalid ciphers */
+ if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) "") == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ciphersuites(\"%V\") failed",
+ ciphersuites);
+ return NGX_ERROR;
+ }
+#endif
+
if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_cipher_list(\"%V\") failed",
@@ -669,6 +681,16 @@
return NGX_ERROR;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ /* set ciphers for TLSv1.3 */
+ if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) ciphersuites->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ciphersuites(\"%V\") failed",
+ ciphersuites);
+ return NGX_ERROR;
+ }
+#endif
+
if (prefer_server_ciphers) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.h Wed Nov 14 16:24:26 2018 -0800
@@ -165,7 +165,7 @@
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
- ngx_uint_t prefer_server_ciphers);
+ ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t *flushes;
@@ -31,6 +34,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -365,6 +369,13 @@
offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("grpc_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("grpc_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -4165,6 +4176,7 @@
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
* conf->ssl_certificate = { 0, NULL };
@@ -4280,6 +4292,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -4673,7 +4688,8 @@
}
}
- if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers,
+ &glcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t caches; /* ngx_http_file_cache_t * */
@@ -94,6 +97,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -659,6 +663,13 @@
offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("proxy_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("proxy_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -2825,6 +2836,7 @@
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
* conf->ssl_certificate = { 0, NULL };
@@ -3208,6 +3220,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -4293,7 +4308,8 @@
}
}
- if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers,
+ &plcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -16,6 +16,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
#define NGX_DEFAULT_ECDH_CURVE "auto"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
@@ -133,6 +136,13 @@
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, ciphers),
NULL },
+
+ { ngx_string("ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, ciphersuites),
+ NULL },
{ ngx_string("ssl_buffer_size"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +566,7 @@
* sscf->trusted_certificate = { 0, NULL };
* sscf->crl = { 0, NULL };
* sscf->ciphers = { 0, NULL };
+ * sscf->ciphersuites = { 0, NULL };
* sscf->shm_zone = NULL;
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
@@ -637,6 +648,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
@@ -734,7 +748,7 @@
return NGX_CONF_ERROR;
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
conf->prefer_server_ciphers)
!= NGX_OK)
{
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -44,6 +44,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t caches; /* ngx_http_file_cache_t * */
@@ -51,6 +54,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -497,6 +501,13 @@
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("uwsgi_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("uwsgi_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -1773,6 +1784,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -2382,7 +2396,8 @@
}
}
- if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers,
+ &uwcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_DEFAULT_ECDH_CURVE "auto"
@@ -126,6 +129,13 @@
offsetof(ngx_mail_ssl_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_ciphersuites"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, ciphersuites),
+ NULL },
+
{ ngx_string("ssl_prefer_server_ciphers"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -251,6 +261,7 @@
* scf->trusted_certificate = { 0, NULL };
* scf->crl = { 0, NULL };
* scf->ciphers = { 0, NULL };
+ * scf->ciphersuites = { 0, NULL };
* scf->shm_zone = NULL;
*/
@@ -316,6 +327,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
conf->ssl.log = cf->log;
@@ -412,7 +426,7 @@
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
conf->prefer_server_ciphers)
!= NGX_OK)
{
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -47,6 +47,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_stream.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_addr_t *addr;
@@ -39,6 +42,7 @@
ngx_flag_t ssl_session_reuse;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_stream_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name;
@@ -268,6 +272,13 @@
offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("proxy_ssl_ciphersuites"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("proxy_ssl_name"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_stream_set_complex_value_slot,
@@ -1945,6 +1956,7 @@
*
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_name = NULL;
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
@@ -2038,6 +2050,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->ssl_name == NULL) {
conf->ssl_name = prev->ssl_name;
}
@@ -2115,7 +2130,9 @@
}
}
- if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers,
+ &pscf->ssl_ciphersuites, 0)
+ != NGX_OK) {
return NGX_ERROR;
}
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -15,6 +15,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_DEFAULT_ECDH_CURVE "auto"
@@ -117,6 +120,13 @@
offsetof(ngx_stream_ssl_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_ciphersuites"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_conf_t, ciphersuites),
+ NULL },
+
{ ngx_string("ssl_verify_client"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_enum_slot,
@@ -511,6 +521,7 @@
* scf->trusted_certificate = { 0, NULL };
* scf->crl = { 0, NULL };
* scf->ciphers = { 0, NULL };
+ * scf->ciphersuites = { 0, NULL };
* scf->shm_zone = NULL;
*/
@@ -573,6 +584,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
conf->ssl.log = cf->log;
@@ -627,7 +641,7 @@
}
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
+ &conf->ciphersuites, conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -42,6 +42,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
# User Ramprasad Tamilselvan <ramprasad.tamilselvan@quantil.com>
# Date 1542241466 28800
# Wed Nov 14 16:24:26 2018 -0800
# Node ID 83b05772dbd657b31df16d712a64c908c371f0d9
# Parent 4698cede59ffa438bcae1fd6c5d8fec4d69b2c92
New directive to configure TLSv1.3 ciphers.
In openssl 1.1.1, a new API is introduced to configure ciphers
for TLSv1.3. A new directive ssl_ciphersuites will call the new
API to configure the ciphers for TLSv1.3.
diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.c Wed Nov 14 16:24:26 2018 -0800
@@ -660,8 +660,20 @@
ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
- ngx_uint_t prefer_server_ciphers)
+ ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers)
{
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ /* set cipher as "" so that SSL_CTX_set_cipher_list can detect
+ * any invalid ciphers */
+ if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) "") == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ciphersuites(\"%V\") failed",
+ ciphersuites);
+ return NGX_ERROR;
+ }
+#endif
+
if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_cipher_list(\"%V\") failed",
@@ -669,6 +681,16 @@
return NGX_ERROR;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ /* set ciphers for TLSv1.3 */
+ if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *) ciphersuites->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ciphersuites(\"%V\") failed",
+ ciphersuites);
+ return NGX_ERROR;
+ }
+#endif
+
if (prefer_server_ciphers) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
diff -r 4698cede59ff -r 83b05772dbd6 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/event/ngx_event_openssl.h Wed Nov 14 16:24:26 2018 -0800
@@ -165,7 +165,7 @@
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
- ngx_uint_t prefer_server_ciphers);
+ ngx_str_t *ciphersuites, ngx_uint_t prefer_server_ciphers);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t *flushes;
@@ -31,6 +34,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -365,6 +369,13 @@
offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("grpc_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_grpc_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("grpc_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -4165,6 +4176,7 @@
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
* conf->ssl_certificate = { 0, NULL };
@@ -4280,6 +4292,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -4673,7 +4688,8 @@
}
}
- if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers,
+ &glcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t caches; /* ngx_http_file_cache_t * */
@@ -94,6 +97,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -659,6 +663,13 @@
offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("proxy_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("proxy_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -2825,6 +2836,7 @@
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
* conf->ssl_certificate = { 0, NULL };
@@ -3208,6 +3220,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -4293,7 +4308,8 @@
}
}
- if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers,
+ &plcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -16,6 +16,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
#define NGX_DEFAULT_ECDH_CURVE "auto"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
@@ -133,6 +136,13 @@
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, ciphers),
NULL },
+
+ { ngx_string("ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, ciphersuites),
+ NULL },
{ ngx_string("ssl_buffer_size"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +566,7 @@
* sscf->trusted_certificate = { 0, NULL };
* sscf->crl = { 0, NULL };
* sscf->ciphers = { 0, NULL };
+ * sscf->ciphersuites = { 0, NULL };
* sscf->shm_zone = NULL;
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
@@ -637,6 +648,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
@@ -734,7 +748,7 @@
return NGX_CONF_ERROR;
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
conf->prefer_server_ciphers)
!= NGX_OK)
{
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -44,6 +44,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_array_t caches; /* ngx_http_file_cache_t * */
@@ -51,6 +54,7 @@
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
@@ -497,6 +501,13 @@
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("uwsgi_ssl_ciphersuites"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("uwsgi_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
@@ -1773,6 +1784,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
@@ -2382,7 +2396,8 @@
}
}
- if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers,
+ &uwcf->ssl_ciphersuites, 0)
!= NGX_OK)
{
return NGX_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -11,6 +11,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_DEFAULT_ECDH_CURVE "auto"
@@ -126,6 +129,13 @@
offsetof(ngx_mail_ssl_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_ciphersuites"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, ciphersuites),
+ NULL },
+
{ ngx_string("ssl_prefer_server_ciphers"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -251,6 +261,7 @@
* scf->trusted_certificate = { 0, NULL };
* scf->crl = { 0, NULL };
* scf->ciphers = { 0, NULL };
+ * scf->ciphersuites = { 0, NULL };
* scf->shm_zone = NULL;
*/
@@ -316,6 +327,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
conf->ssl.log = cf->log;
@@ -412,7 +426,7 @@
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, &conf->ciphersuites,
conf->prefer_server_ciphers)
!= NGX_OK)
{
diff -r 4698cede59ff -r 83b05772dbd6 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/mail/ngx_mail_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -47,6 +47,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -9,6 +9,9 @@
#include <ngx_core.h>
#include <ngx_stream.h>
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
typedef struct {
ngx_addr_t *addr;
@@ -39,6 +42,7 @@
ngx_flag_t ssl_session_reuse;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_str_t ssl_ciphersuites;
ngx_stream_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name;
@@ -268,6 +272,13 @@
offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphers),
NULL },
+ { ngx_string("proxy_ssl_ciphersuites"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, ssl_ciphersuites),
+ NULL },
+
{ ngx_string("proxy_ssl_name"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_stream_set_complex_value_slot,
@@ -1945,6 +1956,7 @@
*
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_ciphersuites = { 0, NULL };
* conf->ssl_name = NULL;
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
@@ -2038,6 +2050,9 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
+ ngx_conf_merge_str_value(conf->ssl_ciphersuites, prev->ssl_ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
if (conf->ssl_name == NULL) {
conf->ssl_name = prev->ssl_name;
}
@@ -2115,7 +2130,9 @@
}
}
- if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers,
+ &pscf->ssl_ciphersuites, 0)
+ != NGX_OK) {
return NGX_ERROR;
}
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Wed Nov 14 16:24:26 2018 -0800
@@ -15,6 +15,9 @@
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#define NGX_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" \
+ ":TLS_CHACHA20_POLY1305_SHA256" \
+ ":TLS_AES_128_GCM_SHA256"
#define NGX_DEFAULT_ECDH_CURVE "auto"
@@ -117,6 +120,13 @@
offsetof(ngx_stream_ssl_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_ciphersuites"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_conf_t, ciphersuites),
+ NULL },
+
{ ngx_string("ssl_verify_client"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_enum_slot,
@@ -511,6 +521,7 @@
* scf->trusted_certificate = { 0, NULL };
* scf->crl = { 0, NULL };
* scf->ciphers = { 0, NULL };
+ * scf->ciphersuites = { 0, NULL };
* scf->shm_zone = NULL;
*/
@@ -573,6 +584,9 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_str_value(conf->ciphersuites, prev->ciphersuites,
+ NGX_DEFAULT_CIPHERSUITES);
+
conf->ssl.log = cf->log;
@@ -627,7 +641,7 @@
}
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
+ &conf->ciphersuites, conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 4698cede59ff -r 83b05772dbd6 src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h Mon Nov 12 16:29:30 2018 +0300
+++ b/src/stream/ngx_stream_ssl_module.h Wed Nov 14 16:24:26 2018 -0800
@@ -42,6 +42,8 @@
ngx_str_t ciphers;
+ ngx_str_t ciphersuites;
+
ngx_array_t *passwords;
ngx_shm_zone_t *shm_zone;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
| Subject | Author | Views | Posted |
|---|---|---|---|
|
Ramprasad Tamilselvan | 367 | November 14, 2018 08:26PM |
|
Maxim Dounin | 131 | November 15, 2018 09:54AM |
|
Ramprasad Tamilselvan | 690 | November 15, 2018 01:56PM |
|
Ramprasad Tamilselvan | 135 | November 15, 2018 03:18PM |
|
Maxim Dounin | 155 | November 16, 2018 06:52AM |
Sorry, you do not have permission to post/reply in this forum.
Online Users
Guests:
308
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|