diff --git a/README.md b/README.md index 890ba90..28d6107 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,9 @@ and recompilation is required. The tested versions: - wolfSSL 3.14 + - wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch) + - Nginx 1.14.0 + - Nginx 1.13.12 - Nginx 1.13.8 - Nginx 1.13.2 - Nginx 1.13.0 diff --git a/nginx-1.13.12-wolfssl-debug.patch b/nginx-1.13.12-wolfssl-debug.patch new file mode 100644 index 0000000..e09cf91 --- /dev/null +++ b/nginx-1.13.12-wolfssl-debug.patch @@ -0,0 +1,16 @@ +diff -ur nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.c nginx-1.13.12-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.c 2018-04-18 09:38:23.587563895 +1000 ++++ nginx-1.13.12-wolfssl-debug/src/event/ngx_event_openssl.c 2018-04-18 09:39:21.071751127 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { +Only in nginx-1.13.12-wolfssl-debug/src/event: ngx_event_openssl.c.orig diff --git a/nginx-1.13.12-wolfssl.patch b/nginx-1.13.12-wolfssl.patch new file mode 100644 index 0000000..a141a5e --- /dev/null +++ b/nginx-1.13.12-wolfssl.patch @@ -0,0 +1,240 @@ +diff -ur nginx-1.13.12/auto/lib/openssl/conf nginx-1.13.12-wolfssl/auto/lib/openssl/conf +--- nginx-1.13.12/auto/lib/openssl/conf 2018-04-11 00:11:10.000000000 +1000 ++++ nginx-1.13.12-wolfssl/auto/lib/openssl/conf 2018-04-18 09:38:23.583563883 +1000 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +Only in nginx-1.13.12-wolfssl/auto/lib/openssl: conf.orig +diff -ur nginx-1.13.12/auto/options nginx-1.13.12-wolfssl/auto/options +--- nginx-1.13.12/auto/options 2018-04-11 00:11:10.000000000 +1000 ++++ nginx-1.13.12-wolfssl/auto/options 2018-04-18 09:38:23.583563883 +1000 +@@ -145,6 +145,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -349,6 +350,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -569,6 +571,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx-1.13.12-wolfssl/auto: options.orig +diff -ur nginx-1.13.12/src/event/ngx_event_openssl.c nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.13.12/src/event/ngx_event_openssl.c 2018-04-11 00:11:10.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.c 2018-04-18 09:38:23.587563895 +1000 +@@ -346,6 +346,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -654,6 +658,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1091,7 +1103,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -3061,7 +3074,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3105,7 +3119,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx-1.13.12/src/event/ngx_event_openssl.h nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.13.12/src/event/ngx_event_openssl.h 2018-04-11 00:11:10.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/event/ngx_event_openssl.h 2018-04-18 09:38:23.587563895 +1000 +@@ -12,6 +12,9 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#endif + #include + #include + #include +@@ -55,7 +58,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -154,6 +157,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.13.12/src/event/ngx_event_openssl_stapling.c nginx-1.13.12-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.13.12/src/event/ngx_event_openssl_stapling.c 2018-04-11 00:11:10.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/event/ngx_event_openssl_stapling.c 2018-04-18 09:38:23.587563895 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.13.12/src/http/modules/ngx_http_proxy_module.c nginx-1.13.12-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.13.12/src/http/modules/ngx_http_proxy_module.c 2018-04-11 00:11:11.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/http/modules/ngx_http_proxy_module.c 2018-04-18 09:38:23.587563895 +1000 +@@ -4294,6 +4294,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +Only in nginx-1.13.12-wolfssl/src/http/modules: ngx_http_proxy_module.c.orig +diff -ur nginx-1.13.12/src/http/modules/ngx_http_ssl_module.c nginx-1.13.12-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.13.12/src/http/modules/ngx_http_ssl_module.c 2018-04-11 00:11:11.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/http/modules/ngx_http_ssl_module.c 2018-04-18 09:38:23.587563895 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.13.12/src/mail/ngx_mail_ssl_module.c nginx-1.13.12-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.13.12/src/mail/ngx_mail_ssl_module.c 2018-04-11 00:11:11.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-04-18 09:38:23.587563895 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.13.12/src/stream/ngx_stream_proxy_module.c nginx-1.13.12-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.13.12/src/stream/ngx_stream_proxy_module.c 2018-04-11 00:11:11.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/stream/ngx_stream_proxy_module.c 2018-04-18 09:38:23.587563895 +1000 +@@ -2012,6 +2012,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +Only in nginx-1.13.12-wolfssl/src/stream: ngx_stream_proxy_module.c.orig +diff -ur nginx-1.13.12/src/stream/ngx_stream_ssl_module.c nginx-1.13.12-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.13.12/src/stream/ngx_stream_ssl_module.c 2018-04-11 00:11:11.000000000 +1000 ++++ nginx-1.13.12-wolfssl/src/stream/ngx_stream_ssl_module.c 2018-04-18 09:38:23.587563895 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.14.0-wolfssl-debug.patch b/nginx-1.14.0-wolfssl-debug.patch new file mode 100644 index 0000000..8601940 --- /dev/null +++ b/nginx-1.14.0-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c nginx-1.14.0-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c 2018-04-18 09:39:51.839852896 +1000 ++++ nginx-1.14.0-wolfssl-debug/src/event/ngx_event_openssl.c 2018-04-18 09:40:09.807912796 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.14.0-wolfssl.patch b/nginx-1.14.0-wolfssl.patch new file mode 100644 index 0000000..81a07fa --- /dev/null +++ b/nginx-1.14.0-wolfssl.patch @@ -0,0 +1,240 @@ +diff -ur nginx-1.14.0/auto/lib/openssl/conf nginx-1.14.0-wolfssl/auto/lib/openssl/conf +--- nginx-1.14.0/auto/lib/openssl/conf 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/auto/lib/openssl/conf 2018-04-18 09:39:51.839852896 +1000 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +Only in nginx-1.14.0-wolfssl/auto/lib/openssl: conf.orig +diff -ur nginx-1.14.0/auto/options nginx-1.14.0-wolfssl/auto/options +--- nginx-1.14.0/auto/options 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/auto/options 2018-04-18 09:39:51.839852896 +1000 +@@ -145,6 +145,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -349,6 +350,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -569,6 +571,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx-1.14.0-wolfssl/auto: options.orig +diff -ur nginx-1.14.0/src/event/ngx_event_openssl.c nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.14.0/src/event/ngx_event_openssl.c 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c 2018-04-18 09:39:51.839852896 +1000 +@@ -346,6 +346,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -654,6 +658,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1091,7 +1103,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -3061,7 +3074,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3105,7 +3119,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx-1.14.0/src/event/ngx_event_openssl.h nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.14.0/src/event/ngx_event_openssl.h 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.h 2018-04-18 09:39:51.839852896 +1000 +@@ -12,6 +12,9 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#endif + #include + #include + #include +@@ -55,7 +58,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -154,6 +157,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.14.0/src/event/ngx_event_openssl_stapling.c nginx-1.14.0-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.14.0/src/event/ngx_event_openssl_stapling.c 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl_stapling.c 2018-04-18 09:39:51.839852896 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.14.0/src/http/modules/ngx_http_proxy_module.c nginx-1.14.0-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.14.0/src/http/modules/ngx_http_proxy_module.c 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/http/modules/ngx_http_proxy_module.c 2018-04-18 09:39:51.839852896 +1000 +@@ -4294,6 +4294,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +Only in nginx-1.14.0-wolfssl/src/http/modules: ngx_http_proxy_module.c.orig +diff -ur nginx-1.14.0/src/http/modules/ngx_http_ssl_module.c nginx-1.14.0-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.14.0/src/http/modules/ngx_http_ssl_module.c 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/http/modules/ngx_http_ssl_module.c 2018-04-18 09:39:51.839852896 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.14.0/src/mail/ngx_mail_ssl_module.c nginx-1.14.0-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.14.0/src/mail/ngx_mail_ssl_module.c 2018-04-18 01:22:36.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-04-18 09:39:51.839852896 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.14.0/src/stream/ngx_stream_proxy_module.c nginx-1.14.0-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.14.0/src/stream/ngx_stream_proxy_module.c 2018-04-18 01:22:37.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/stream/ngx_stream_proxy_module.c 2018-04-18 09:39:51.843852910 +1000 +@@ -2012,6 +2012,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +Only in nginx-1.14.0-wolfssl/src/stream: ngx_stream_proxy_module.c.orig +diff -ur nginx-1.14.0/src/stream/ngx_stream_ssl_module.c nginx-1.14.0-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.14.0/src/stream/ngx_stream_ssl_module.c 2018-04-18 01:22:37.000000000 +1000 ++++ nginx-1.14.0-wolfssl/src/stream/ngx_stream_ssl_module.c 2018-04-18 09:39:51.843852910 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + +