Hello! On Wed, Jun 15, 2016 at 10:44:13AM +0100, Tim Taubert wrote:
> # HG changeset patch > # User Tim Taubert <[email protected]> > # Date 1465983726 -3600 > # Wed Jun 15 10:42:06 2016 +0100 > # Node ID f42955a35ac0363553fd887ec88a93d51bac8c9e > # Parent 1064ea81ed3aabb8ad422ffcc60ddcde667022ac > SSL: ngx_ssl_ciphers() to set list of ciphers. > > This patch replaces all calls to SSL_CTX_set_cipher_list() with > ngx_ssl_ciphers() to make nginx more crypto-library-agnostic. [...] > ngx_int_t > +ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers) > +{ > + if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, > + "SSL_CTX_set_cipher_list(\"%V\") failed", > + ciphers); > + return NGX_ERROR; > + } > + > + if (cf->prefer_server_ciphers) { > + SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); > + } This is not going to work, as ngx_conf_t does not have the prefer_server_ciphers in it: src/event/ngx_event_openssl.c:604:13: error: no member named 'prefer_server_ciphers' in 'struct ngx_conf_s' if (cf->prefer_server_ciphers) { ~~ ^ 1 error generated. You have pass the prefer_server_ciphers value as a function argument, much like "ciphers". [...] > @@ -725,20 +719,16 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * > { > return NGX_CONF_ERROR; > } > > if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { > return NGX_CONF_ERROR; > } > > - if (conf->prefer_server_ciphers) { > - SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); > - } > - > #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined > LIBRESSL_VERSION_NUMBER) > /* a temporary 512-bit RSA key is required for export versions of MSIE */ > SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); > #endif And here is another candidate for the move to the function. [...] -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
