SSL: ciphers now set before loading certificates (ticket #2035).
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0. This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 65bd1e6..6842b7c 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4896,6 +4896,12 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = glcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (glcf->upstream.ssl_certificate) {
if (glcf->upstream.ssl_certificate_key == NULL) {
@@ -4927,12 +4933,6 @@
}
}
- if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (glcf->upstream.ssl_verify) {
if (glcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 368297e..0844627 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4944,6 +4944,12 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (plcf->upstream.ssl_certificate) {
if (plcf->upstream.ssl_certificate_key == NULL) {
@@ -4975,12 +4981,6 @@
}
}
- if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index a47d696..1a744ff 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -797,6 +797,13 @@
ngx_http_ssl_npn_advertised, NULL);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -829,13 +836,6 @@
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
conf->ssl.buffer_size = conf->buffer_size;
if (conf->verify) {
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 40a06c7..4f9c349 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2432,6 +2432,12 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
+ if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
if (uwcf->upstream.ssl_certificate) {
if (uwcf->upstream.ssl_certificate_key == NULL) {
@@ -2463,12 +2469,6 @@
}
}
- if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
if (uwcf->upstream.ssl_verify) {
if (uwcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 7eae83e..09cc425 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -394,6 +394,13 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
@@ -430,13 +437,6 @@
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 8c686ab..1275cf2 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2185,6 +2185,10 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = pscf->ssl;
+ if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
if (pscf->ssl_certificate) {
if (pscf->ssl_certificate_key == NULL) {
@@ -2216,10 +2220,6 @@
}
}
- if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
- return NGX_ERROR;
- }
-
if (pscf->ssl_verify) {
if (pscf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index d8c0471..b735000 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -720,6 +720,13 @@
ngx_stream_ssl_servername);
#endif
+ if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
+ conf->prefer_server_ciphers)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -752,13 +759,6 @@
}
}
- if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
- conf->prefer_server_ciphers)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
-
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {
