[PATCH] Proxy: add "proxy_ssl_padding" directive
Maxim Dounin
mdounin at mdounin.ru
Fri Jul 25 19:20:16 UTC 2014
Hello!
On Fri, Jul 25, 2014 at 12:06:16PM -0700, Piotr Sikora wrote:
> > On the
> > other hand, I don't think it worth adding a configuration
> > directive to control it. We've recently introduced
> > proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate
> > issues with such broken servers, and it should be enough.
>
> Except that with "proxy_ssl_server_name" the ClientHello message can
> be >256 even with only a single SSL protocol and cipher suite enabled.
This means that SNI can't be used with such backends (it never
worked before as it can't work without TLS padding extension), and
trivial solution is to don't switch it on.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list