summaryrefslogtreecommitdiffstats
path: root/215.patch
blob: d98ecb3da13a929850c4d7725484d9a9dcbfd746 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
From 41243ec789c0c9d5b625c76abbc401333d876ee5 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 16 Jan 2019 08:38:53 +0100
Subject: [PATCH] prefer system crypto policy

---
 src/nxt_openssl.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 99dd207..6d9df48 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -248,7 +248,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf)
 {
     SSL_CTX              *ctx;
     nxt_fd_t             fd;
-    const char           *ciphers, *ca_certificate;
+    const char           *ca_certificate;
     STACK_OF(X509_NAME)  *list;
 
     ctx = SSL_CTX_new(SSLv23_server_method());
@@ -303,13 +303,13 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf)
         goto fail;
     }
 */
-    ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5";
-
-    if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
-        nxt_openssl_log_error(task, NXT_LOG_ALERT,
+    if (conf->ciphers) { /* else use system crypto policy */
+        if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
+            nxt_openssl_log_error(task, NXT_LOG_ALERT,
                               "SSL_CTX_set_cipher_list(\"%s\") failed",
-                              ciphers);
-        goto fail;
+                              conf->ciphers);
+            goto fail;
+        }
     }
 
     SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);