[PATCH] Proxy: add "proxy_ssl_padding" directive

Maxim Dounin mdounin at mdounin.ru
Fri Jul 25 19:20:16 UTC 2014


On Fri, Jul 25, 2014 at 12:06:16PM -0700, Piotr Sikora wrote:

> > On the
> > other hand, I don't think it worth adding a configuration
> > directive to control it.  We've recently introduced
> > proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate
> > issues with such broken servers, and it should be enough.
> Except that with "proxy_ssl_server_name" the ClientHello message can
> be >256 even with only a single SSL protocol and cipher suite enabled.

This means that SNI can't be used with such backends (it never 
worked before as it can't work without TLS padding extension), and 
trivial solution is to don't switch it on.

Maxim Dounin

More information about the nginx-devel mailing list