Maxim Dounin
December 03, 2010 09:44PM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1291430303 -10800
# Node ID de5c7db8d43baaed219e56ce97728db47370fa3e
# Parent 0ba8b1344f121fae0b5d2002ffdf4327053ec1ff
Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround.

This used to be a workaround for old Netscape browsers and servers. As of
OpenSSL 0.9.8q and 1.0.0c, this option has no effect.

See CVE-2010-4180 and OpenSSL's advisory here:

http://www.openssl.org/news/secadv_20101202.txt

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -155,7 +155,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_

SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);

/* server side options */


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround

Maxim Dounin 3780 December 03, 2010 09:44PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 139
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready