diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2023-06-21 01:29:53 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2023-06-21 01:29:53 +0300 |
| commit | bdea5b703ff6f6fcf98ac8dd4e1e9e5c9ad05017 (patch) | |
| tree | 515228b2a359e1a1698654df9e72839864688487 | |
| parent | 2038b46e25b74c16b36ce27f4c8064f2ab2af5a9 (diff) | |
| download | nginx-bdea5b703ff6f6fcf98ac8dd4e1e9e5c9ad05017.tar.gz nginx-bdea5b703ff6f6fcf98ac8dd4e1e9e5c9ad05017.zip | |
SSL: avoid using OpenSSL config in build directory (ticket #2404).
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself. And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.
Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
| -rw-r--r-- | auto/lib/openssl/conf | 2 | ||||
| -rw-r--r-- | src/event/ngx_event_openssl.c | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf index cfa74cf81..eda1c0f4a 100644 --- a/auto/lib/openssl/conf +++ b/auto/lib/openssl/conf @@ -8,6 +8,8 @@ if [ $OPENSSL != NONE ]; then have=NGX_OPENSSL . auto/have have=NGX_SSL . auto/have + have=NGX_OPENSSL_NO_CONFIG . auto/have + if [ $USE_OPENSSL_QUIC = YES ]; then have=NGX_QUIC . auto/have have=NGX_QUIC_OPENSSL_COMPAT . auto/have diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 32cdabf0b..8468101d1 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -142,8 +142,19 @@ ngx_ssl_init(ngx_log_t *log) { #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) + uint64_t opts; OPENSSL_INIT_SETTINGS *init; + opts = OPENSSL_INIT_LOAD_CONFIG; + +#if (NGX_OPENSSL_NO_CONFIG) + + if (getenv("OPENSSL_CONF") == NULL) { + opts = OPENSSL_INIT_NO_LOAD_CONFIG; + } + +#endif + init = OPENSSL_INIT_new(); if (init == NULL) { ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); @@ -158,7 +169,7 @@ ngx_ssl_init(ngx_log_t *log) } #endif - if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) { + if (OPENSSL_init_ssl(opts, init) == 0) { ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); return NGX_ERROR; } @@ -174,6 +185,14 @@ ngx_ssl_init(ngx_log_t *log) #else +#if (NGX_OPENSSL_NO_CONFIG) + + if (getenv("OPENSSL_CONF") == NULL) { + OPENSSL_no_config(); + } + +#endif + OPENSSL_config("nginx"); SSL_library_init(); |