From 8581de7dc1af6d6443642f67c0fcc2846467021c Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sat, 18 Oct 2014 19:48:07 -0400
Subject: [PATCH] Allow specifying ssl_protocols as a blacklist (ticket #642).
This allows the administrator to specify a minimum SSL/TLS version
without also specifying a maximum. For example, instead of
ssl_protocols TLSv1.0 TLSv1.1 TLSv1.2;
one can now write
ssl_protocols all -SSLv2 -SSLv3;
which will not need to be updated when future versions of TLS become
supported.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
src/event/ngx_event_openssl.c | 10 +++++-----
src/event/ngx_event_openssl.h | 7 +++++++
src/http/modules/ngx_http_proxy_module.c | 6 ++++++
src/http/modules/ngx_http_ssl_module.c | 6 ++++++
src/http/modules/ngx_http_uwsgi_module.c | 6 ++++++
src/mail/ngx_mail_ssl_module.c | 6 ++++++
6 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 975a8e0..dc21850 100644
|
a
|
b
|
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
| 249 | 249 | |
| 250 | 250 | SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
| 251 | 251 | |
| 252 | | if (!(protocols & NGX_SSL_SSLv2) |
| | 252 | if (!(protocols & NGX_SSL_SSLv2) || (protocols & NGX_SSL_NO_SSLv2)) { |
| 253 | 253 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
| 254 | 254 | } |
| 255 | | if (!(protocols & NGX_SSL_SSLv3) |
| | 255 | if (!(protocols & NGX_SSL_SSLv3) || (protocols & NGX_SSL_NO_SSLv3)) { |
| 256 | 256 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
| 257 | 257 | } |
| 258 | | if (!(protocols & NGX_SSL_TLSv1) |
| | 258 | if (!(protocols & NGX_SSL_TLSv1) || (protocols & NGX_SSL_NO_TLSv1)) { |
| 259 | 259 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
| 260 | 260 | } |
| 261 | 261 | #ifdef SSL_OP_NO_TLSv1_1 |
| 262 | | if (!(protocols & NGX_SSL_TLSv1_1) |
| | 262 | if (!(protocols & NGX_SSL_TLSv1_1) || (protocols & NGX_SSL_NO_TLSv1_1)) { |
| 263 | 263 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
| 264 | 264 | } |
| 265 | 265 | #endif |
| 266 | 266 | #ifdef SSL_OP_NO_TLSv1_2 |
| 267 | | if (!(protocols & NGX_SSL_TLSv1_2) |
| | 267 | if (!(protocols & NGX_SSL_TLSv1_2) || (protocols & NGX_SSL_NO_TLSv1_2)) { |
| 268 | 268 | SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
| 269 | 269 | } |
| 270 | 270 | #endif |
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 4086940..b1a7ba0 100644
|
a
|
b
|
typedef struct {
|
| 113 | 113 | #define NGX_SSL_TLSv1_1 0x0010 |
| 114 | 114 | #define NGX_SSL_TLSv1_2 0x0020 |
| 115 | 115 | |
| | 116 | #define NGX_SSL_ALL (NGX_SSL_SSLv2 | NGX_SSL_SSLv3 | NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2) |
| | 117 | |
| | 118 | #define NGX_SSL_NO_SSLv2 (NGX_SSL_SSLv2 << 16) |
| | 119 | #define NGX_SSL_NO_SSLv3 (NGX_SSL_SSLv3 << 16) |
| | 120 | #define NGX_SSL_NO_TLSv1 (NGX_SSL_TLSv1 << 16) |
| | 121 | #define NGX_SSL_NO_TLSv1_1 (NGX_SSL_TLSv1_1 << 16) |
| | 122 | #define NGX_SSL_NO_TLSv1_2 (NGX_SSL_TLSv1_2 << 16) |
| 116 | 123 | |
| 117 | 124 | #define NGX_SSL_BUFFER 1 |
| 118 | 125 | #define NGX_SSL_CLIENT 2 |
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 9a85973..4f91590 100644
|
a
|
b
|
static ngx_conf_bitmask_t ngx_http_proxy_ssl_protocols[] = {
|
| 203 | 203 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 204 | 204 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
| 205 | 205 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| | 206 | { ngx_string("all"), NGX_SSL_ALL }, |
| | 207 | { ngx_string("-SSLv2"), NGX_SSL_NO_SSLv2 }, |
| | 208 | { ngx_string("-SSLv3"), NGX_SSL_NO_SSLv3 }, |
| | 209 | { ngx_string("-TLSv1"), NGX_SSL_NO_TLSv1 }, |
| | 210 | { ngx_string("-TLSv1.1"), NGX_SSL_NO_TLSv1_1 }, |
| | 211 | { ngx_string("-TLSv1.2"), NGX_SSL_NO_TLSv1_2 }, |
| 206 | 212 | { ngx_null_string, 0 } |
| 207 | 213 | }; |
| 208 | 214 | |
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 4c69091..9173049 100644
|
a
|
b
|
static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
|
| 57 | 57 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 58 | 58 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
| 59 | 59 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| | 60 | { ngx_string("all"), NGX_SSL_ALL }, |
| | 61 | { ngx_string("-SSLv2"), NGX_SSL_NO_SSLv2 }, |
| | 62 | { ngx_string("-SSLv3"), NGX_SSL_NO_SSLv3 }, |
| | 63 | { ngx_string("-TLSv1"), NGX_SSL_NO_TLSv1 }, |
| | 64 | { ngx_string("-TLSv1.1"), NGX_SSL_NO_TLSv1_1 }, |
| | 65 | { ngx_string("-TLSv1.2"), NGX_SSL_NO_TLSv1_2 }, |
| 60 | 66 | { ngx_null_string, 0 } |
| 61 | 67 | }; |
| 62 | 68 | |
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 151d76c..c47bc1d 100644
|
a
|
b
|
static ngx_conf_bitmask_t ngx_http_uwsgi_ssl_protocols[] = {
|
| 108 | 108 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 109 | 109 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
| 110 | 110 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| | 111 | { ngx_string("all"), NGX_SSL_ALL }, |
| | 112 | { ngx_string("-SSLv2"), NGX_SSL_NO_SSLv2 }, |
| | 113 | { ngx_string("-SSLv3"), NGX_SSL_NO_SSLv3 }, |
| | 114 | { ngx_string("-TLSv1"), NGX_SSL_NO_TLSv1 }, |
| | 115 | { ngx_string("-TLSv1.1"), NGX_SSL_NO_TLSv1_1 }, |
| | 116 | { ngx_string("-TLSv1.2"), NGX_SSL_NO_TLSv1_2 }, |
| 111 | 117 | { ngx_null_string, 0 } |
| 112 | 118 | }; |
| 113 | 119 | |
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index f864d99..125ad2a 100644
|
a
|
b
|
static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = {
|
| 42 | 42 | { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, |
| 43 | 43 | { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
| 44 | 44 | { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
| | 45 | { ngx_string("all"), NGX_SSL_ALL }, |
| | 46 | { ngx_string("-SSLv2"), NGX_SSL_NO_SSLv2 }, |
| | 47 | { ngx_string("-SSLv3"), NGX_SSL_NO_SSLv3 }, |
| | 48 | { ngx_string("-TLSv1"), NGX_SSL_NO_TLSv1 }, |
| | 49 | { ngx_string("-TLSv1.1"), NGX_SSL_NO_TLSv1_1 }, |
| | 50 | { ngx_string("-TLSv1.2"), NGX_SSL_NO_TLSv1_2 }, |
| 45 | 51 | { ngx_null_string, 0 } |
| 46 | 52 | }; |
| 47 | 53 | |
