summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-01-16 08:38:53 +0100
committerAlejandro Colomar <alx@nginx.com>2022-10-20 16:25:15 +0200
commit93d24bb1144bebedb79bec8745c42aa0dc778aef (patch)
tree43eb1a25b8cf00d719ff33a67a784822088104b8
parentf93361979a9f612b59470640c3566f5cb66c3eaf (diff)
downloadunit-93d24bb1144bebedb79bec8745c42aa0dc778aef.tar.gz
unit-93d24bb1144bebedb79bec8745c42aa0dc778aef.tar.bz2
Preferring system crypto policy.
If we don't call SSL_CTX_set_cipher_list(), then it uses the system's default. Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy> Link: <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> Link: <https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8> Signed-off-by: Remi Collet <remi@remirepo.net> Acked-by: Andrei Belov <defan@nginx.com> [ alx: add changelog and tweak commit message ] Signed-off-by: Alejandro Colomar <alx@nginx.com>
Diffstat (limited to '')
-rw-r--r--docs/changes.xml6
-rw-r--r--src/nxt_openssl.c14
2 files changed, 13 insertions, 7 deletions
diff --git a/docs/changes.xml b/docs/changes.xml
index d1c71fdb..f4e3f65e 100644
--- a/docs/changes.xml
+++ b/docs/changes.xml
@@ -37,6 +37,12 @@ removed $uri auto-append for "share" when loading configuration.
</para>
</change>
+<change type="change">
+<para>
+prefer system crypto policy, instead of hardcoding a default.
+</para>
+</change>
+
<change type="feature">
<para>
compatibility with PHP 8.2.
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index e19b1381..32904660 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -295,7 +295,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
nxt_tls_init_t *tls_init, nxt_bool_t last)
{
SSL_CTX *ctx;
- const char *ciphers, *ca_certificate;
+ const char *ca_certificate;
nxt_tls_conf_t *conf;
STACK_OF(X509_NAME) *list;
nxt_tls_bundle_conf_t *bundle;
@@ -361,13 +361,13 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
}
*/
- ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5";
-
- if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
- nxt_openssl_log_error(task, NXT_LOG_ALERT,
+ if (conf->ciphers) { /* else use system crypto policy */
+ if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
+ nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CTX_set_cipher_list(\"%s\") failed",
- ciphers);
- goto fail;
+ conf->ciphers);
+ goto fail;
+ }
}
#if (NXT_HAVE_OPENSSL_CONF_CMD)