summaryrefslogtreecommitdiffstats
path: root/unit-syspol.patch
diff options
context:
space:
mode:
Diffstat (limited to 'unit-syspol.patch')
-rw-r--r--unit-syspol.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/unit-syspol.patch b/unit-syspol.patch
new file mode 100644
index 0000000..cff3889
--- /dev/null
+++ b/unit-syspol.patch
@@ -0,0 +1,32 @@
+diff -up ./src/nxt_openssl.c.syspol ./src/nxt_openssl.c
+--- ./src/nxt_openssl.c.syspol 2021-03-25 15:15:30.000000000 +0100
++++ ./src/nxt_openssl.c 2021-03-26 07:46:53.897688835 +0100
+@@ -261,7 +261,7 @@ nxt_openssl_server_init(nxt_task_t *task
+ nxt_mp_t *mp, nxt_bool_t last)
+ {
+ SSL_CTX *ctx;
+- const char *ciphers, *ca_certificate;
++ const char *ca_certificate;
+ STACK_OF(X509_NAME) *list;
+ nxt_tls_bundle_conf_t *bundle;
+
+@@ -318,13 +318,13 @@ nxt_openssl_server_init(nxt_task_t *task
+ goto fail;
+ }
+ */
+- ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5";
+-
+- if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
+- nxt_openssl_log_error(task, NXT_LOG_ALERT,
++ if (conf->ciphers) { /* else use system crypto policy */
++ if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
++ nxt_openssl_log_error(task, NXT_LOG_ALERT,
+ "SSL_CTX_set_cipher_list(\"%s\") failed",
+- ciphers);
+- goto fail;
++ conf->ciphers);
++ goto fail;
++ }
+ }
+
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);