Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL releases

Wed, 29 Oct 2014 20:24:07 -0700 

Hi Sergey,
    Are you also looking to have a fix for the POODLE vulnerability?

Thanks,
Jagannath

From: Sergey Kandaurov <pluk...@nginx.com<mailto:pluk...@nginx.com>>
Reply-To: "nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>" 
<nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>>
Date: Wednesday, October 29, 2014 at 11:39 PM
To: "nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>" 
<nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>>
Subject: Re: [PATCH] SSL: make ssl_password_file work with recent OpenSSL 
releases

On Oct 28, 2014, at 12:38 AM, Piotr Sikora 
<pi...@cloudflare.com<mailto:pi...@cloudflare.com>> wrote:
Also, I think that PKCS#12 support should be added in a separate
commit, instead of mixing it with semi-related fix.

How so? It is not about adding error handling support for yet another format,
because it was already there but was broken for the same reason after 1.0.1j.

Below is an updated patch with fixed header inclusion I’d like to commit.

# HG changeset patch
# User Piotr Sikora <pi...@cloudflare.com<mailto:pi...@cloudflare.com>>
# Date 1414150080 25200
#      Fri Oct 24 04:28:00 2014 -0700
# Node ID 8316cb9139f5f5b0fb39969006d68708f22f312d
# Parent  973fded4f461f3a397779b3a1dc80881b1b34974
SSL: make ssl_password_file work with recent OpenSSL releases.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Signed-off-by: Piotr Sikora <pi...@cloudflare.com<mailto:pi...@cloudflare.com>>

diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.c Fri Oct 24 04:28:00 2014 -0700
@@ -410,8 +410,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
             if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
                 && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
#else
-            if (ERR_GET_LIB(n) == ERR_LIB_EVP
-                && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+            if ((ERR_GET_LIB(n) == ERR_LIB_PEM
+                 && ERR_GET_REASON(n) == PEM_R_BAD_DECRYPT)
+                || (ERR_GET_LIB(n) == ERR_LIB_EVP
+                    && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+                || (ERR_GET_LIB(n) == ERR_LIB_PKCS12
+                    && ERR_GET_REASON(n) == PKCS12_R_PKCS12_CIPHERFINAL_ERROR))
#endif
             {
                 ERR_clear_error();
diff -r 973fded4f461 -r 8316cb9139f5 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Oct 15 22:57:23 2014 +0400
+++ b/src/event/ngx_event_openssl.h Fri Oct 24 04:28:00 2014 -0700
@@ -25,6 +25,9 @@
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/pkcs12.h>
+#endif
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>

--
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx-devel


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to