Mercurial > hg > nginx
changeset 7900:509b663a789c
SSL: removed export ciphers support.
Export ciphers are forbidden to negotiate in TLS 1.1 and later protocol modes.
They are disabled since OpenSSL 1.0.2g by default unless explicitly configured
with "enable-weak-ssl-ciphers", and completely removed in OpenSSL 1.1.0.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 10 Aug 2021 23:43:17 +0300 |
parents | 1a03af395f44 |
children | dda421871bc2 |
files | src/event/ngx_event_openssl.c src/event/ngx_event_openssl.h |
diffstat | 2 files changed, 0 insertions(+), 36 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c Tue Aug 10 23:43:17 2021 +0300 +++ b/src/event/ngx_event_openssl.c Tue Aug 10 23:43:17 2021 +0300 @@ -863,11 +863,6 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) - /* a temporary 512-bit RSA key is required for export versions of MSIE */ - SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); -#endif - return NGX_OK; } @@ -1120,32 +1115,6 @@ } -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) - -RSA * -ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length) -{ - static RSA *key; - - if (key_length != 512) { - return NULL; - } - -#ifndef OPENSSL_NO_DEPRECATED - - if (key == NULL) { - key = RSA_generate_key(512, RSA_F4, NULL, NULL); - } - -#endif - - return key; -} - -#endif - - ngx_array_t * ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) {
--- a/src/event/ngx_event_openssl.h Tue Aug 10 23:43:17 2021 +0300 +++ b/src/event/ngx_event_openssl.h Tue Aug 10 23:43:17 2021 +0300 @@ -29,7 +29,6 @@ #include <openssl/ocsp.h> #endif #include <openssl/rand.h> -#include <openssl/rsa.h> #include <openssl/x509.h> #include <openssl/x509v3.h> @@ -208,10 +207,6 @@ ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s); void ngx_ssl_ocsp_cleanup(ngx_connection_t *c); ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data); -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) -RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length); -#endif ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords);