Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: guard use of all SSL options for bug workarounds

Piotr Sikora
September 03, 2014 05:54PM
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1409780995 25200
# Wed Sep 03 14:49:55 2014 -0700
# Node ID 9c59138cd7030a88a761856f849c581924ca1a3b
# Parent 3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: guard use of all SSL options for bug workarounds.

Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r 3f5f0ab59b35 -r 9c59138cd703 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c Wed Sep 03 14:49:55 2014 -0700
@@ -206,13 +206,23 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_

/* client side options */

+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
+#endif

/* server side options */

+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
+#endif
+
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
+#endif

#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
@@ -223,10 +233,17 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
#endif

+#ifdef SSL_OP_TLS_D5_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
+#endif
+
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
-
+#endif
+
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+#endif

SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] SSL: guard use of all SSL options for bug workarounds

Piotr Sikora 778 September 03, 2014 05:54PM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin 427 September 05, 2014 02:40PM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Piotr Sikora 389 September 08, 2014 04:08AM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Richard Fussenegger, BSc 384 September 08, 2014 07:02AM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin 317 September 08, 2014 01:24PM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Richard Fussenegger, BSc 339 September 08, 2014 05:50PM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin 349 September 08, 2014 10:48PM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Alex 324 September 09, 2014 04:12AM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Richard Fussenegger, BSc 355 September 09, 2014 11:58AM

Re: [PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin 358 September 08, 2014 01:14PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 141
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready