mirror of
https://github.com/nginx/nginx.git
synced 2024-12-24 08:00:14 -06:00
SSL: removed export ciphers support.
Export ciphers are forbidden to negotiate in TLS 1.1 and later protocol modes. They are disabled since OpenSSL 1.0.2g by default unless explicitly configured with "enable-weak-ssl-ciphers", and completely removed in OpenSSL 1.1.0.
This commit is contained in:
parent
5155845ce4
commit
9e4e7a4e42
@ -863,11 +863,6 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
}
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
||||
/* a temporary 512-bit RSA key is required for export versions of MSIE */
|
||||
SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
|
||||
#endif
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
@ -1120,32 +1115,6 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
||||
}
|
||||
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
||||
|
||||
RSA *
|
||||
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
||||
int key_length)
|
||||
{
|
||||
static RSA *key;
|
||||
|
||||
if (key_length != 512) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_DEPRECATED
|
||||
|
||||
if (key == NULL) {
|
||||
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
return key;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
ngx_array_t *
|
||||
ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
|
||||
{
|
||||
|
@ -29,7 +29,6 @@
|
||||
#include <openssl/ocsp.h>
|
||||
#endif
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
@ -208,10 +207,6 @@ ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c);
|
||||
ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
|
||||
void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
|
||||
ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
|
||||
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
||||
int key_length);
|
||||
#endif
|
||||
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
|
||||
ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
|
||||
ngx_array_t *passwords);
|
||||
|
Loading…
Reference in New Issue
Block a user