[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Richard Fussenegger, BSc richard at fussenegger.info
Thu Sep 4 08:28:39 UTC 2014


Definitely not a legacy interoperability issue, e.g.:

https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59

Even with the 1/n-1 many problems arise but at least not as much as with 
the 0/n approach:

https://www.imperialviolet.org/2012/01/15/beastfollowup.html

Richard

On 9/3/2014 11:53 PM, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1409780995 25200
> #      Wed Sep 03 14:49:55 2014 -0700
> # Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
> # Parent  3f5f0ab59b359064db16e1aa52dfca335720dff6
> SSL: enable CBC 1/n-1 record splitting on the client side.
>
> This is currently available only in BoringSSL, where it replaced
> CBC 0/n record splitting (empty fragments), which is disabled in
> nginx due to the (legacy?) interoperability issues.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c	Mon Sep 01 18:20:18 2014 +0400
> +++ b/src/event/ngx_event_openssl.c	Wed Sep 03 14:49:55 2014 -0700
> @@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
>       if (flags & NGX_SSL_CLIENT) {
>           SSL_set_connect_state(sc->connection);
>   
> +#ifdef SSL_MODE_CBC_RECORD_SPLITTING
> +        SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
> +#endif
> +
>       } else {
>           SSL_set_accept_state(sc->connection);
>       }
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140904/5bc6fe86/attachment.html>


More information about the nginx-devel mailing list