Welcome! Log In Create A New Profile

[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Forum List Message List New Topic Print View

Maxim Dounin

July 24, 2023 07:12PM

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1687300195 -10800
# Wed Jun 21 01:29:55 2023 +0300
# Node ID b79ef48b91e45dba4bf850be6b2a2cc3b8834f5d
# Parent 904c99bede1770d92566b56939c5b6ec85f05b55
SSL: provided "nginx" appname when loading OpenSSL configs.

Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION). Therefore this
change is not expected to introduce any compatibility issues with existing
configurations. It does, however, makes it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).

Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL. This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -140,13 +140,31 @@ int ngx_ssl_stapling_index;
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
-
- if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
+#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)
+
+ OPENSSL_INIT_SETTINGS *init;
+
+ init = OPENSSL_INIT_new();
+ if (init == NULL) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
+ return NGX_ERROR;
+ }
+
+#ifndef OPENSSL_NO_STDIO
+ if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+ "OPENSSL_INIT_set_config_appname() failed");
+ return NGX_ERROR;
+ }
+#endif
+
+ if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
return NGX_ERROR;
}

+ OPENSSL_INIT_free(init);
+
/*
* OPENSSL_init_ssl() may leave errors in the error queue
* while returning success
@@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log)

#else

- OPENSSL_config(NULL);
+ OPENSSL_config("nginx");

SSL_library_init();
SSL_load_error_strings();
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs	Maxim Dounin	362	July 24, 2023 07:12PM
[PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)	Maxim Dounin	84	July 24, 2023 07:12PM
Re: [PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)	Sergey Kandaurov	68	August 02, 2023 11:56AM
Re: [PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)	Maxim Dounin	76	August 02, 2023 02:18PM
Re: [PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs	Sergey Kandaurov	78	August 02, 2023 11:56AM
Re: [PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs	Maxim Dounin	93	August 02, 2023 02:18PM