Mercurial > hg > nginx
diff src/event/ngx_event_openssl.c @ 4400:a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1
(-beta1 was recently released). This change makes it possible to disable
these protocols and/or enable them without other protocols.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 11 Jan 2012 11:15:00 +0000 |
parents | 2ada2a26b24c |
children | d620f497c50f |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c Wed Jan 11 11:09:05 2012 +0000 +++ b/src/event/ngx_event_openssl.c Wed Jan 11 11:15:00 2012 +0000 @@ -78,18 +78,6 @@ }; -static long ngx_ssl_protocols[] = { - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, - SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv2, - 0, -}; - - int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; @@ -171,9 +159,25 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - if (ngx_ssl_protocols[protocols >> 1] != 0) { - SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); + if (!(protocols & NGX_SSL_SSLv2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); + } + if (!(protocols & NGX_SSL_SSLv3)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); + } + if (!(protocols & NGX_SSL_TLSv1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); } +#ifdef SSL_OP_NO_TLSv1_1 + if (!(protocols & NGX_SSL_TLSv1_1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (!(protocols & NGX_SSL_TLSv1_2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); + } +#endif #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);