.gitignore

@@ -1,2 +1,2 @@
-SOURCES/nginx-1.16.1.tar.gz
+SOURCES/nginx-1.16.0.tar.gz
 SOURCES/poweredby.png

.nginx.metadata

@@ -1,2 +1,2 @@
-77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
+5e2fe78453ecc983247223d73ad2129509ef2564 SOURCES/nginx-1.16.0.tar.gz
 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch

@@ -1,5 +1,5 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 345914f..d23967f 100644
+index ab3865a..e6d8bb7 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
 @@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
@@ -11,7 +11,7 @@ index 345914f..d23967f 100644
      ssl->ctx = SSL_CTX_new(SSLv23_method());
  
      if (ssl->ctx == NULL) {
-@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+@@ -316,39 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
  
      SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
  
@@ -19,47 +19,22 @@ index 345914f..d23967f 100644
 -    /* only in 0.9.8m+ */
 -    SSL_CTX_clear_options(ssl->ctx,
 -                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
--#endif
--
--    if (!(protocols & NGX_SSL_SSLv2)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
--    }
--    if (!(protocols & NGX_SSL_SSLv3)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
--    }
--    if (!(protocols & NGX_SSL_TLSv1)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
--    }
--#ifdef SSL_OP_NO_TLSv1_1
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
--    if (!(protocols & NGX_SSL_TLSv1_1)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
--    }
 +    if (protocols){
 +#ifdef SSL_OP_NO_TLSv1_3
 +        if (protocols & NGX_SSL_TLSv1_3) {
 +            prot = TLS1_3_VERSION;
 +        } else
- #endif
- #ifdef SSL_OP_NO_TLSv1_2
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
--    if (!(protocols & NGX_SSL_TLSv1_2)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
--    }
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
 +        if (protocols & NGX_SSL_TLSv1_2) {
 +            prot =  TLS1_2_VERSION;
 +        } else
- #endif
--#ifdef SSL_OP_NO_TLSv1_3
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
--    if (!(protocols & NGX_SSL_TLSv1_3)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
--    }
++#endif
 +#ifdef SSL_OP_NO_TLSv1_1
 +        if (protocols & NGX_SSL_TLSv1_1) {
 +            prot = TLS1_1_VERSION;
 +        } else
- #endif
++#endif
 +        if (protocols & NGX_SSL_TLSv1) {
 +            prot = TLS1_VERSION;
 +        }
@@ -69,10 +44,7 @@ index 345914f..d23967f 100644
 +                      "No SSL protocols available [hint: ssl_protocols]");
 +            return NGX_ERROR;
 +        }
- 
--#ifdef SSL_CTX_set_min_proto_version
--    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
--    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
++
 +        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
 +
 +        /* Now, we have to scan for minimal protocol version,
@@ -83,24 +55,43 @@ index 345914f..d23967f 100644
 +        }
  #endif
  
--#ifdef TLS1_3_VERSION
--    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
--    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
-+#ifdef SSL_OP_NO_TLSv1_1
+-    if (!(protocols & NGX_SSL_SSLv2)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
+-    }
+-    if (!(protocols & NGX_SSL_SSLv3)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
+-    }
+-    if (!(protocols & NGX_SSL_TLSv1)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
+-    }
+ #ifdef SSL_OP_NO_TLSv1_1
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    if (!(protocols & NGX_SSL_TLSv1_1)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    }
 +        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
 +            prot = TLS1_1_VERSION;
 +        }
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    if (!(protocols & NGX_SSL_TLSv1_2)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    }
 +        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
 +            prot = TLS1_VERSION;
 +        }
  #endif
+-#ifdef SSL_OP_NO_TLSv1_3
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+-    if (!(protocols & NGX_SSL_TLSv1_3)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 +        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
-+    }
+     }
+-#endif
  
- #ifdef SSL_OP_NO_COMPRESSION
-     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
+ #ifdef SSL_CTX_set_min_proto_version
+     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
 index 61da0c5..fa7ac41 100644
 --- a/src/event/ngx_event_openssl.h

SPECS/nginx.spec

@@ -18,7 +18,7 @@
 
 Name:              nginx
 Epoch:             1
-Version:           1.16.1
+Version:           1.16.0
 Release:           1%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
@@ -461,19 +461,6 @@ fi
 
 
 %changelog
-* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
-- update to 1.16.1
-- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
-  of data request leads to denial of service
-- Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using
-  PRIORITY frames resulting in excessive resource consumption
-- Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length
-  headers leads to denial of service
-
-* Wed Jun 26 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-2
-- Resolves: #1718929 - ssl_protocols config option has faulty behavior
-  in nginx:1.16
-
 * Mon May 06 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-1
 - new version 1.16.0
 - enable ngx_stream_ssl_preread module