diff options
author | Remi Collet <remi@remirepo.net> | 2019-01-16 08:38:53 +0100 |
---|---|---|
committer | Alejandro Colomar <alx@nginx.com> | 2022-10-20 16:25:15 +0200 |
commit | 93d24bb1144bebedb79bec8745c42aa0dc778aef (patch) | |
tree | 43eb1a25b8cf00d719ff33a67a784822088104b8 | |
parent | f93361979a9f612b59470640c3566f5cb66c3eaf (diff) | |
download | unit-93d24bb1144bebedb79bec8745c42aa0dc778aef.tar.gz unit-93d24bb1144bebedb79bec8745c42aa0dc778aef.tar.bz2 |
Preferring system crypto policy.
If we don't call SSL_CTX_set_cipher_list(), then it uses the
system's default.
Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy>
Link: <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/>
Link: <https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8>
Signed-off-by: Remi Collet <remi@remirepo.net>
Acked-by: Andrei Belov <defan@nginx.com>
[ alx: add changelog and tweak commit message ]
Signed-off-by: Alejandro Colomar <alx@nginx.com>
Diffstat (limited to '')
-rw-r--r-- | docs/changes.xml | 6 | ||||
-rw-r--r-- | src/nxt_openssl.c | 14 |
2 files changed, 13 insertions, 7 deletions
diff --git a/docs/changes.xml b/docs/changes.xml index d1c71fdb..f4e3f65e 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -37,6 +37,12 @@ removed $uri auto-append for "share" when loading configuration. </para> </change> +<change type="change"> +<para> +prefer system crypto policy, instead of hardcoding a default. +</para> +</change> + <change type="feature"> <para> compatibility with PHP 8.2. diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index e19b1381..32904660 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -295,7 +295,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, nxt_tls_init_t *tls_init, nxt_bool_t last) { SSL_CTX *ctx; - const char *ciphers, *ca_certificate; + const char *ca_certificate; nxt_tls_conf_t *conf; STACK_OF(X509_NAME) *list; nxt_tls_bundle_conf_t *bundle; @@ -361,13 +361,13 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, } */ - ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; - - if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { - nxt_openssl_log_error(task, NXT_LOG_ALERT, + if (conf->ciphers) { /* else use system crypto policy */ + if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) { + nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_set_cipher_list(\"%s\") failed", - ciphers); - goto fail; + conf->ciphers); + goto fail; + } } #if (NXT_HAVE_OPENSSL_CONF_CMD) |