# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1687300195 -10800
# Wed Jun 21 01:29:55 2023 +0300
# Node ID b79ef48b91e45dba4bf850be6b2a2cc3b8834f5d
# Parent 904c99bede1770d92566b56939c5b6ec85f05b55
SSL: provided "nginx" appname when loading OpenSSL configs.
Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION). Therefore this
change is not expected to introduce any compatibility issues with existing
configurations. It does, however, makes it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).
Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL. This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -140,13 +140,31 @@ int ngx_ssl_stapling_index;
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
-
- if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
+#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)
+
+ OPENSSL_INIT_SETTINGS *init;
+
+ init = OPENSSL_INIT_new();
+ if (init == NULL) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
+ return NGX_ERROR;
+ }
+
+#ifndef OPENSSL_NO_STDIO
+ if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+ "OPENSSL_INIT_set_config_appname() failed");
+ return NGX_ERROR;
+ }
+#endif
+
+ if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
return NGX_ERROR;
}
+ OPENSSL_INIT_free(init);
+
/*
* OPENSSL_init_ssl() may leave errors in the error queue
* while returning success
@@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log)
#else
- OPENSSL_config(NULL);
+ OPENSSL_config("nginx");
SSL_library_init();
SSL_load_error_strings();
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel