1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 41243ec789c0c9d5b625c76abbc401333d876ee5 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 16 Jan 2019 08:38:53 +0100
Subject: [PATCH] prefer system crypto policy
---
src/nxt_openssl.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 99dd207..6d9df48 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -248,7 +248,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf)
{
SSL_CTX *ctx;
nxt_fd_t fd;
- const char *ciphers, *ca_certificate;
+ const char *ca_certificate;
STACK_OF(X509_NAME) *list;
ctx = SSL_CTX_new(SSLv23_server_method());
@@ -303,13 +303,13 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf)
goto fail;
}
*/
- ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5";
-
- if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
- nxt_openssl_log_error(task, NXT_LOG_ALERT,
+ if (conf->ciphers) { /* else use system crypto policy */
+ if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
+ nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CTX_set_cipher_list(\"%s\") failed",
- ciphers);
- goto fail;
+ conf->ciphers);
+ goto fail;
+ }
}
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
