[PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora piotr at cloudflare.com
Fri Jul 25 19:06:16 UTC 2014


Hey,

> And it is also known to cause problems with some other broken
> SSL stacks:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=989062
> https://rt.openssl.org/Ticket/Display.html?id=3336
>
> So it doesn't looks like a good candidate for enabling
> unconditionally, like we do with other workaround options.

Agreed, that's why I added it as an option.

> On the
> other hand, I don't think it worth adding a configuration
> directive to control it.  We've recently introduced
> proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate
> issues with such broken servers, and it should be enough.

Except that with "proxy_ssl_server_name" the ClientHello message can
be >256 even with only a single SSL protocol and cipher suite enabled.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list