On Tue, Apr 29, 2014 at 4:36 PM, Lukas Tribus <luky-37@hotmail.com> wrote:

> Hi Mark,
>
>
> > I'm running into a lot of the same error as was reported in the forum
> > at:
> http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html
> >
> >> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
> > bad record mac
> >
> > I've got an nginx server doing front-end SSL, with the upstream also
> > over SSL and also nginx (fronting Apache). They're all running 1.5.13
> > (all Precise 64-bit), so I can goof with various options like
> > ssl_buffer_size. These are running SSL-enabled web sites for my
> > customers.
> >
> > I'm curious if there is any workaround for this besides patching
> > openssl, as mentioned a couple of weeks ago
> > in http://trac.nginx.org/nginx/ticket/215
>
>
> A patch was committed to openssl [1] and backported to the openssl-1.0.1
> stable branch [2], meaning that the next openssl release (1.0.1h) will
> contain the fix.
>
> You can:
> - cherry-pick the fix and apply it on 1.0.1g
> - use the 1.0.1 stable git branch
> - asking your openssl package maintainer to backport the fix (its security
> relevant, see CVE-2010-5298 [3])
>
> The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the
> patch soon, also see [5] and [6].
>
>
> Oh, cool, that's good news that it's upstream then. Getting the patch to
apply is a piece of cake. I was more worried about what would happen for
the next libssl update. Hopefully Ubuntu will pick that update up. Thanks!
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx