metalefty/nginx
1
0
Fork 0
forked from rpms/nginx
Code Pull Requests Activity

import nginx-1.16.1-1.module+el8.1.0+4097+739b0d87

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 16:39:11 -05:00 committed by Stepan Oksanichenko
parent 3de47908f3
commit c57a164c7c
4 changed files with 60 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/nginx-1.16.0.tar.gz
SOURCES/nginx-1.16.1.tar.gz
SOURCES/poweredby.png

2
.nginx.metadata
View File

@ -1,2 +1,2 @@
5e2fe78453ecc983247223d73ad2129509ef2564 SOURCES/nginx-1.16.0.tar.gz
77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

79
SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index ab3865a..e6d8bb7 100644
index 345914f..d23967f 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
@ -11,7 +11,7 @@ index ab3865a..e6d8bb7 100644
ssl->ctx = SSL_CTX_new(SSLv23_method());
if (ssl->ctx == NULL) {
@@ -316,39 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
@ -19,22 +19,47 @@ index ab3865a..e6d8bb7 100644
- /* only in 0.9.8m+ */
- SSL_CTX_clear_options(ssl->ctx,
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
-#endif
-
- if (!(protocols & NGX_SSL_SSLv2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
- }
- if (!(protocols & NGX_SSL_SSLv3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
- }
- if (!(protocols & NGX_SSL_TLSv1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
- }
-#ifdef SSL_OP_NO_TLSv1_1
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- if (!(protocols & NGX_SSL_TLSv1_1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- }
+ if (protocols){
+#ifdef SSL_OP_NO_TLSv1_3
+ if (protocols & NGX_SSL_TLSv1_3) {
+ prot = TLS1_3_VERSION;
+ } else
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
#endif
#ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- if (!(protocols & NGX_SSL_TLSv1_2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- }
+ if (protocols & NGX_SSL_TLSv1_2) {
+ prot = TLS1_2_VERSION;
+ } else
+#endif
#endif
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- if (!(protocols & NGX_SSL_TLSv1_3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- }
+#ifdef SSL_OP_NO_TLSv1_1
+ if (protocols & NGX_SSL_TLSv1_1) {
+ prot = TLS1_1_VERSION;
+ } else
+#endif
#endif
+ if (protocols & NGX_SSL_TLSv1) {
+ prot = TLS1_VERSION;
+ }
@ -44,7 +69,10 @@ index ab3865a..e6d8bb7 100644
+ "No SSL protocols available [hint: ssl_protocols]");
+ return NGX_ERROR;
+ }
+
-#ifdef SSL_CTX_set_min_proto_version
- SSL_CTX_set_min_proto_version(ssl->ctx, 0);
- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+ SSL_CTX_set_max_proto_version(ssl->ctx, prot);
+
+ /* Now, we have to scan for minimal protocol version,
@ -55,43 +83,24 @@ index ab3865a..e6d8bb7 100644
+ }
#endif
- if (!(protocols & NGX_SSL_SSLv2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
- }
- if (!(protocols & NGX_SSL_SSLv3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
- }
- if (!(protocols & NGX_SSL_TLSv1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
- }
#ifdef SSL_OP_NO_TLSv1_1
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- if (!(protocols & NGX_SSL_TLSv1_1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- }
-#ifdef TLS1_3_VERSION
- SSL_CTX_set_min_proto_version(ssl->ctx, 0);
- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
+#ifdef SSL_OP_NO_TLSv1_1
+ if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
+ prot = TLS1_1_VERSION;
+ }
#endif
#ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- if (!(protocols & NGX_SSL_TLSv1_2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
+ prot = TLS1_VERSION;
+ }
#endif
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- if (!(protocols & NGX_SSL_TLSv1_3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+ SSL_CTX_set_min_proto_version(ssl->ctx, prot);
}
-#endif
+ }
#ifdef SSL_CTX_set_min_proto_version
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 61da0c5..fa7ac41 100644
--- a/src/event/ngx_event_openssl.h

15
SPECS/nginx.spec
View File

@ -18,7 +18,7 @@
Name: nginx
Epoch: 1
Version: 1.16.0
Version: 1.16.1
Release: 1%{?dist}
Summary: A high performance web server and reverse proxy server
@ -461,6 +461,19 @@ fi
%changelog
* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
- update to 1.16.1
- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
of data request leads to denial of service
- Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using
PRIORITY frames resulting in excessive resource consumption
- Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length
headers leads to denial of service
* Wed Jun 26 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-2
- Resolves: #1718929 - ssl_protocols config option has faulty behavior
in nginx:1.16
* Mon May 06 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-1
- new version 1.16.0
- enable ngx_stream_ssl_preread module