Welcome! Log In Create A New Profile

[PATCH] Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround

Forum List Message List New Topic Print View

Maxim Dounin

December 03, 2010 09:44PM

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1291430303 -10800
# Node ID de5c7db8d43baaed219e56ce97728db47370fa3e
# Parent 0ba8b1344f121fae0b5d2002ffdf4327053ec1ff
Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround.

This used to be a workaround for old Netscape browsers and servers. As of
OpenSSL 0.9.8q and 1.0.0c, this option has no effect.

See CVE-2010-4180 and OpenSSL's advisory here:

http://www.openssl.org/news/secadv_20101202.txt

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -155,7 +155,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_

SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);

/* server side options */

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround	Maxim Dounin	3654	December 03, 2010 09:44PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 230

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018