Problem:
old web application supporting SSLv2 only can't connect to the
web service migrated behind ssl-offloading nginx.
Analysis:
nginx considers connection as plain http. Traffic analysis using
various client options shows that 0x80 isn't the only possibility
to show up as first byte in ssl client hello.
Nginx code excerpt ( nginx-0.7.67, src/http/ngx_http_request.c:551 ):
if (buf[0] == 0x80 /* SSLv2 */ || buf[0] == 0x16 /* SSLv3/TLSv1
*/) {
^^
openssl code excerpt ( openssl-0.9.8k, as such version is installed on
server side, ssl/s23_srvr.c:268 ):
if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
^^
Difference in SSL logic detection underlined.
Solution:
Fix SSLv2 detection. Patch attached.
--
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
"A city is a large community where people are lonesome together."
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx