Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: avoid using OpenSSL config in build directory (ticket #2404).

Sergey Kandaurov
August 07, 2023 06:54AM
details: https://hg.nginx.org/nginx/rev/0ba26c99b3a1
branches:
changeset: 9137:0ba26c99b3a1
user: Maxim Dounin <mdounin@mdounin.ru>
date: Wed Jun 21 01:29:53 2023 +0300
description:
SSL: avoid using OpenSSL config in build directory (ticket #2404).

With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself. And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.

Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.

diffstat:

auto/lib/openssl/conf | 2 ++
src/event/ngx_event_openssl.c | 21 ++++++++++++++++++++-
2 files changed, 22 insertions(+), 1 deletions(-)

diffs (59 lines):

diff -r 85abf534cead -r 0ba26c99b3a1 auto/lib/openssl/conf
--- a/auto/lib/openssl/conf Wed Jun 21 01:29:55 2023 +0300
+++ b/auto/lib/openssl/conf Wed Jun 21 01:29:53 2023 +0300
@@ -8,6 +8,8 @@ if [ $OPENSSL != NONE ]; then
have=NGX_OPENSSL . auto/have
have=NGX_SSL . auto/have

+ have=NGX_OPENSSL_NO_CONFIG . auto/have
+
if [ $USE_OPENSSL_QUIC = YES ]; then
have=NGX_QUIC . auto/have
have=NGX_QUIC_OPENSSL_COMPAT . auto/have
diff -r 85abf534cead -r 0ba26c99b3a1 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Jun 21 01:29:55 2023 +0300
+++ b/src/event/ngx_event_openssl.c Wed Jun 21 01:29:53 2023 +0300
@@ -142,8 +142,19 @@ ngx_ssl_init(ngx_log_t *log)
{
#if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER)

+ uint64_t opts;
OPENSSL_INIT_SETTINGS *init;

+ opts = OPENSSL_INIT_LOAD_CONFIG;
+
+#if (NGX_OPENSSL_NO_CONFIG)
+
+ if (getenv("OPENSSL_CONF") == NULL) {
+ opts = OPENSSL_INIT_NO_LOAD_CONFIG;
+ }
+
+#endif
+
init = OPENSSL_INIT_new();
if (init == NULL) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed");
@@ -158,7 +169,7 @@ ngx_ssl_init(ngx_log_t *log)
}
#endif

- if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) {
+ if (OPENSSL_init_ssl(opts, init) == 0) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
return NGX_ERROR;
}
@@ -174,6 +185,14 @@ ngx_ssl_init(ngx_log_t *log)

#else

+#if (NGX_OPENSSL_NO_CONFIG)
+
+ if (getenv("OPENSSL_CONF") == NULL) {
+ OPENSSL_no_config();
+ }
+
+#endif
+
OPENSSL_config("nginx");

SSL_library_init();
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: avoid using OpenSSL config in build directory (ticket #2404).

Sergey Kandaurov 230 August 07, 2023 06:54AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 276
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready