[PATCH] SSL: guard use of all SSL options for bug workarounds

Piotr Sikora piotr at cloudflare.com
Mon Sep 8 08:06:15 UTC 2014


Hey Maxim,

> After looking into http://trac.nginx.org/nginx/ticket/618,
> I'm rather sceptical about BoringSSL-related fixes.

To be fair, it was a regression that was fixed pretty fast once reported.

> On the other hand, if they indeed remove something we use, it may
> be a good enough reason to reconsider the use of the flags
> removed.

Most of the defines that they removed (SSL_OP_MICROSOFT_SESS_ID_BUG,
SSL_OP_NETSCAPE_CHALLENGE_BUG, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG and
SSL_OP_MSIE_SSLV2_RSA_PADDING) were for options that were removed from
BoringSSL along SSLv2 support.

They also removed SSL_OP_TLS_BLOCK_PADDING_BUG, which was broken for a
while and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, which nginx uses to
disable CBC 0/n record splitting, which they replaced with CBC 1/n-1
record splitting that is not enabled by default (see my other patch).

This, however, doesn't mean that those options aren't doing anything
in OpenSSL (or LibreSSL, for that matter), especially when you insist
on supporting ancient versions of OpenSSL, so I don't think that we
should remove them from nginx.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list