Welcome! Log In Create A New Profile

Re: SSLv3 protocol with LibreSSL

Forum List Message List New Topic Print View

Maxim Dounin

February 24, 2015 01:54PM

Hello!

On Tue, Feb 17, 2015 at 11:25:42PM +0900, Kuramoto Eiji wrote:

> # HG changeset patch
> # User Kuramoto Eiji <ek@kuramoto.org>
> # Date 1424182447 -32400
> # Node ID 2f0279e2d15aa7fd4c8300a99fa323513deaf1ab
> # Parent f3f25ad09deee27485050a75732e5f46ab1b18b3
> SSLv3 protocol is not available with LibreSSL,
> even if SSLv3 option is supplied in config.
>
> LibreSSL-2.1.2/2.1.3 disables SSLv3 by default.
>
> diff -r f3f25ad09dee -r 2f0279e2d15a src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Feb 11 20:18:55 2015 +0300
> +++ b/src/event/ngx_event_openssl.c Tue Feb 17 23:14:07 2015 +0900
> @@ -252,9 +252,17 @@
> if (!(protocols & NGX_SSL_SSLv2)) {
> SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
> }
> +ifdef LIBRESSL_VERSION_NUMBER
> + if (!(protocols & NGX_SSL_SSLv3)) {
> + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
> + } else {
> + SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_SSLv3);
> + }
> +#else

I don't think we want LibreSSL-specific code like this.
Rather, I see two possible options:

1) Respect LibreSSL decision to disable SSLv3 and don't do
anything. That is, keep it as is. This basically means that
there will be no SSLv3 support if you are using nginx with
LibreSSL. Much like there is no SSLv2 support either, because it
was removed from LibreSSL.

2) Clear all protocol options we know about. This will ensure
that future changes like the one in LibreSSL will not affect
nginx:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -249,6 +249,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_

SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);

+#ifdef SSL_CTRL_CLEAR_OPTIONS
+ SSL_clear_options(ssl->ctx,
+ SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+#endif
+
if (!(protocols & NGX_SSL_SSLv2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
@@ -259,11 +264,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
}
#ifdef SSL_OP_NO_TLSv1_1
+ SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
if (!(protocols & NGX_SSL_TLSv1_1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
}
#endif
#ifdef SSL_OP_NO_TLSv1_2
+ SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
if (!(protocols & NGX_SSL_TLSv1_2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
}

Not sure which of the above I would prefer, as both variants have
their pros and cons.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
SSLv3 protocol with LibreSSL	Kuramoto Eiji	634	February 17, 2015 09:28AM
Re: SSLv3 protocol with LibreSSL	Maxim Dounin	465	February 24, 2015 01:54PM
Re: SSLv3 protocol with LibreSSL	Kuramoto Eiji	481	February 26, 2015 06:02AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 166

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018