[PATCH] Proxy: add "proxy_ssl_padding" directive

Maxim Dounin mdounin at mdounin.ru
Fri Jul 25 15:56:27 UTC 2014


On Fri, Jul 25, 2014 at 04:48:51AM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1406288796 25200
> #      Fri Jul 25 04:46:36 2014 -0700
> # Node ID fa9bca0cb2876eb57048644aa4af15d1e6c85d26
> # Parent  c3b08217f2a24f4531e578082dff498d85818cf0
> Proxy: add "proxy_ssl_padding" directive.
> This change adds support for the TLS padding extension (the workaround
> for the "TLS hang bug"), which might be necessary in order to establish
> SSL connection with upstream servers with and/or behind broken SSL stack.
> Previously, it was possible to connect to such servers only by reducing
> size of the ClientHello message to below 256 bytes (by reducing number
> of advertised cipher suites, removing support for newer SSL protocols
> and/or removing the Server Name Indication extension).
> Requires OpenSSL-1.0.1h+.

And it is also known to cause problems with some other broken 
SSL stacks:


So it doesn't looks like a good candidate for enabling 
unconditionally, like we do with other workaround options.  On the 
other hand, I don't think it worth adding a configuration 
directive to control it.  We've recently introduced 
proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate 
issues with such broken servers, and it should be enough.

Maxim Dounin

More information about the nginx-devel mailing list