Welcome! Log In Create A New Profile

Advanced

[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Maxim Dounin
July 24, 2023 07:12PM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1687300195 -10800
# Wed Jun 21 01:29:55 2023 +0300
# Node ID b79ef48b91e45dba4bf850be6b2a2cc3b8834f5d
# Parent 904c99bede1770d92566b56939c5b6ec85f05b55
SSL: provided "nginx" appname when loading OpenSSL configs.

Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION). Therefore this
change is not expected to introduce any compatibility issues with existing
configurations. It does, however, makes it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).

Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL. This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -140,13 +140,31 @@ int ngx_ssl_stapling_index;
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
-
- if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
+#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)
+
+ OPENSSL_INIT_SETTINGS *init;
+
+ init = OPENSSL_INIT_new();
+ if (init == NULL) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
+ return NGX_ERROR;
+ }
+
+#ifndef OPENSSL_NO_STDIO
+ if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+ "OPENSSL_INIT_set_config_appname() failed");
+ return NGX_ERROR;
+ }
+#endif
+
+ if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
return NGX_ERROR;
}

+ OPENSSL_INIT_free(init);
+
/*
* OPENSSL_init_ssl() may leave errors in the error queue
* while returning success
@@ -156,7 +174,7 @@ ngx_ssl_init(ngx_log_t *log)

#else

- OPENSSL_config(NULL);
+ OPENSSL_config("nginx");

SSL_library_init();
SSL_load_error_strings();
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Maxim Dounin 302 July 24, 2023 07:12PM

[PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)

Maxim Dounin 52 July 24, 2023 07:12PM

Re: [PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)

Sergey Kandaurov 42 August 02, 2023 11:56AM

Re: [PATCH 2 of 2] SSL: avoid using OpenSSL config in build directory (ticket #2404)

Maxim Dounin 48 August 02, 2023 02:18PM

Re: [PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Sergey Kandaurov 49 August 02, 2023 11:56AM

Re: [PATCH 1 of 2] SSL: provided "nginx" appname when loading OpenSSL configs

Maxim Dounin 65 August 02, 2023 02:18PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

BMX
Guests: 274
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready