Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.

Maxim Dounin
November 16, 2021 09:54AM
details: https://hg.nginx.org/nginx/rev/ddfad46492b5
branches: stable-1.20
changeset: 7962:ddfad46492b5
user: Sergey Kandaurov <pluknet@nginx.com>
date: Tue Aug 10 23:43:16 2021 +0300
description:
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.

Using PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() is deprecated
as part of deprecating the low level DH functions in favor of EVP_PKEY:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=163f6dc

diffstat:

src/event/ngx_event_openssl.c | 32 +++++++++++++++++++++++++++++++-
1 files changed, 31 insertions(+), 1 deletions(-)

diffs (56 lines):

diff -r c7c6a87c068d -r ddfad46492b5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Aug 10 23:43:16 2021 +0300
+++ b/src/event/ngx_event_openssl.c Tue Aug 10 23:43:16 2021 +0300
@@ -1354,7 +1354,6 @@ ngx_ssl_passwords_cleanup(void *data)
ngx_int_t
ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
{
- DH *dh;
BIO *bio;

if (file->len == 0) {
@@ -1372,6 +1371,10 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
return NGX_ERROR;
}

+#ifdef SSL_CTX_set_tmp_dh
+ {
+ DH *dh;
+
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if (dh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@@ -1389,6 +1392,33 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
}

DH_free(dh);
+ }
+#else
+ {
+ EVP_PKEY *dh;
+
+ /*
+ * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh()
+ * are deprecated in OpenSSL 3.0
+ */
+
+ dh = PEM_read_bio_Parameters(bio, NULL);
+ if (dh == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "PEM_read_bio_Parameters(\"%s\") failed", file->data);
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+ }
+#endif
+
BIO_free(bio);

return NGX_OK;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.

Maxim Dounin 68 November 16, 2021 09:54AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 64
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready