Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Piotr Sikora
September 03, 2014 05:54PM
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1409780995 25200
# Wed Sep 03 14:49:55 2014 -0700
# Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
# Parent 3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: enable CBC 1/n-1 record splitting on the client side.

This is currently available only in BoringSSL, where it replaced
CBC 0/n record splitting (empty fragments), which is disabled in
nginx due to the (legacy?) interoperability issues.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c Wed Sep 03 14:49:55 2014 -0700
@@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
if (flags & NGX_SSL_CLIENT) {
SSL_set_connect_state(sc->connection);

+#ifdef SSL_MODE_CBC_RECORD_SPLITTING
+ SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
+#endif
+
} else {
SSL_set_accept_state(sc->connection);
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Piotr Sikora 866 September 03, 2014 05:54PM

Re: [PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Richard Fussenegger, BSc 391 September 04, 2014 04:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 141
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready