[PATCH] SSL: guard use of all SSL options for bug workarounds
mdounin at mdounin.ru
Tue Sep 9 02:47:23 UTC 2014
On Mon, Sep 08, 2014 at 11:48:28PM +0200, Richard Fussenegger, BSc wrote:
> On 9/8/2014 7:22 PM, Maxim Dounin wrote:
> >On Mon, Sep 08, 2014 at 01:01:02PM +0200, Richard Fussenegger, BSc wrote:
> >>Wouldn't it be better to drop support for ancient OpenSSL versions? It would
> >>be a great step for performance and security. Are there any good reasons to
> >>support old OpenSSL versions?
> >Dropping support doesn't changes anything for ones who uses modern
> >versions of the OpenSSL library. And will upset ones who, for
> >some reason, have to use old versions.
> >The only benefit of dropping support for older OpenSSL versions is
> >slightly lower code maintenance costs on nginx side.
> The nginx project could be a forerunner by removing support. Of course you
> would upset some admins but you know as well as I that many of those could
> easily upgrade but are unwilling to do so. If they can stick to outdated
> OpenSSL versions that have SERIOUS vulnerabilities regarding security and
What make you think that there are any vulnerabilities? As far as
I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
compilation with) is still commercially supported as a part of at
least one OS, and will be supported till 2017.
Even if there are, SSL isn't the only reason to compile nginx with
OpenSSL. Some just need MD5/SHA1 from OpenSSL for various uses
within nginx itself, and some just use a single packet for
everything - and any version of OpenSSL will do as long as it
compiles, as SSL isn't used at all.
I personally more or less regularly test nginx on a system with
OpenSSL 0.9.7d - and I'm fine as long as it compiles, as it's a
test virtual machine.
> why would they need an updated nginx? Honestly, I don't
And that's another part of the problem: if they won't be able to
update nginx, they won't update it. And that's not we want to
happen - instead, we want them to update nginx even if they stick
to some old libraries for some reason. And make this as painless
> understand this kind of politics. It would be much better to implement a
> policy that says (e.g.) current nginx versions supports two versions back of
> OpenSSL from the time of release of both. That would be a clear rule that
> anyone can easily understand and it would ensure proper updates and fixes
> for security problems of the complete Internet infrastructure. I think that
As of now, minimum supported OpenSSL version is 0.9.7, and this is
documented in http://nginx.org/en/CHANGES. That's certainly a
clear rule that anyone can easily understand.
We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7
compatibility, but that's all we can do now without introducing a
lot of trouble: various major OSes are shipped with 0.9.8*, and
0.9.8 branch is still supported by OpenSSL.
> you underestimate the scope of engagement that nginx is playing now as
> second most used web server of the world. I think that the project should
> take that role much more serious. (Please don't answer with some like "but
> Apache httpd", the project shouldn't reiterate problems of other projects.)
I think you overestimate positive impact of not supporting old
OpenSSL versions, and underestimate negative impact of this.
More information about the nginx-devel