[nginx] SSL: ciphers now set before loading certificates (ticket #2035).
|
Maxim Dounin
August 16, 2021 05:26PM
|
details: https://hg.nginx.org/nginx/rev/419c066cb710
branches:
changeset: 7904:419c066cb710
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Aug 16 22:40:31 2021 +0300
description:
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
diffstat:
src/http/modules/ngx_http_grpc_module.c | 12 ++++++------
src/http/modules/ngx_http_proxy_module.c | 12 ++++++------
src/http/modules/ngx_http_ssl_module.c | 14 +++++++-------
src/http/modules/ngx_http_uwsgi_module.c | 12 ++++++------
src/mail/ngx_mail_ssl_module.c | 14 +++++++-------
src/stream/ngx_stream_proxy_module.c | 8 ++++----
src/stream/ngx_stream_ssl_module.c | 14 +++++++-------
7 files changed, 43 insertions(+), 43 deletions(-)
diffs (205 lines):
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -4896,6 +4896,12 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = glcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (glcf->upstream.ssl_certificate) {
if (glcf->upstream.ssl_certificate_key == NULL) {
@@ -4927,12 +4933,6 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
}
}
- if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (glcf->upstream.ssl_verify) {
if (glcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -4944,6 +4944,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (plcf->upstream.ssl_certificate) {
if (plcf->upstream.ssl_certificate_key == NULL) {
@@ -4975,12 +4981,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
}
}
- if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -797,6 +797,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_http_ssl_npn_advertised, NULL);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -829,13 +836,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
conf->ssl.buffer_size = conf->buffer_size;
if (conf->verify) {
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -2432,6 +2432,12 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (uwcf->upstream.ssl_certificate) {
if (uwcf->upstream.ssl_certificate_key == NULL) {
@@ -2463,12 +2469,6 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
}
}
- if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (uwcf->upstream.ssl_verify) {
if (uwcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -394,6 +394,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
@@ -430,13 +437,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff -r f2ddd0c491bf -r 419c066cb710 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -2185,6 +2185,10 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = pscf->ssl;
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
if (pscf->ssl_certificate) {
if (pscf->ssl_certificate_key == NULL) {
@@ -2216,10 +2220,6 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
}
}
- if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
- return NGX_ERROR;
- }
-
if (pscf->ssl_verify) {
if (pscf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -720,6 +720,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_stream_ssl_servername);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -752,13 +759,6 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
branches:
changeset: 7904:419c066cb710
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Aug 16 22:40:31 2021 +0300
description:
SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
diffstat:
src/http/modules/ngx_http_grpc_module.c | 12 ++++++------
src/http/modules/ngx_http_proxy_module.c | 12 ++++++------
src/http/modules/ngx_http_ssl_module.c | 14 +++++++-------
src/http/modules/ngx_http_uwsgi_module.c | 12 ++++++------
src/mail/ngx_mail_ssl_module.c | 14 +++++++-------
src/stream/ngx_stream_proxy_module.c | 8 ++++----
src/stream/ngx_stream_ssl_module.c | 14 +++++++-------
7 files changed, 43 insertions(+), 43 deletions(-)
diffs (205 lines):
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -4896,6 +4896,12 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = glcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (glcf->upstream.ssl_certificate) {
if (glcf->upstream.ssl_certificate_key == NULL) {
@@ -4927,12 +4933,6 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
}
}
- if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (glcf->upstream.ssl_verify) {
if (glcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -4944,6 +4944,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (plcf->upstream.ssl_certificate) {
if (plcf->upstream.ssl_certificate_key == NULL) {
@@ -4975,12 +4981,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
}
}
- if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -797,6 +797,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_http_ssl_npn_advertised, NULL);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -829,13 +836,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
conf->ssl.buffer_size = conf->buffer_size;
if (conf->verify) {
diff -r f2ddd0c491bf -r 419c066cb710 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -2432,6 +2432,12 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (uwcf->upstream.ssl_certificate) {
if (uwcf->upstream.ssl_certificate_key == NULL) {
@@ -2463,12 +2469,6 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
}
}
- if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (uwcf->upstream.ssl_verify) {
if (uwcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -394,6 +394,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
@@ -430,13 +437,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff -r f2ddd0c491bf -r 419c066cb710 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -2185,6 +2185,10 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = pscf->ssl;
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
if (pscf->ssl_certificate) {
if (pscf->ssl_certificate_key == NULL) {
@@ -2216,10 +2220,6 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
}
}
- if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
- return NGX_ERROR;
- }
-
if (pscf->ssl_verify) {
if (pscf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff -r f2ddd0c491bf -r 419c066cb710 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Mon Aug 16 16:36:08 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Mon Aug 16 22:40:31 2021 +0300
@@ -720,6 +720,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_stream_ssl_servername);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -752,13 +759,6 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
| Subject | Author | Views | Posted |
|---|---|---|---|
|
Maxim Dounin | 407 | August 16, 2021 05:26PM |
Sorry, you do not have permission to post/reply in this forum.
Online Users
Guests:
276
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|