Nginx/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-11-21 16:28:40 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SSL: removed export ciphers support.

Browse Source 
Export ciphers are forbidden to negotiate in TLS 1.1 and later protocol modes.
They are disabled since OpenSSL 1.0.2g by default unless explicitly configured
with "enable-weak-ssl-ciphers", and completely removed in OpenSSL 1.1.0.
This commit is contained in:
Sergey Kandaurov 2021-08-10 23:43:17 +03:00
parent 5155845ce4
commit 9e4e7a4e42
2 changed files with 0 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/event/ngx_event_openssl.c
View File

@ -863,11 +863,6 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
#endif
return NGX_OK;
}
@ -1120,32 +1115,6 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
}
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
RSA *
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length)
{
static RSA *key;
if (key_length != 512) {
return NULL;
}
#ifndef OPENSSL_NO_DEPRECATED
if (key == NULL) {
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
}
#endif
return key;
}
#endif
ngx_array_t *
ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
{

5
src/event/ngx_event_openssl.h
View File

@ -29,7 +29,6 @@
#include <openssl/ocsp.h>
#endif
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@ -208,10 +207,6 @@ ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c);
ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length);
#endif
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
ngx_array_t *passwords);