# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1291430303 -10800
# Node ID de5c7db8d43baaed219e56ce97728db47370fa3e
# Parent 0ba8b1344f121fae0b5d2002ffdf4327053ec1ff
Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround.
This used to be a workaround for old Netscape browsers and servers. As of
OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
See CVE-2010-4180 and OpenSSL's advisory here:
http://www.openssl.org/news/secadv_20101202.txt
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -155,7 +155,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
/* server side options */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel