SSLv2 bad detection, patch
Mirosław Jaworski
mjaw at ikp.pl
Thu Jul 1 19:00:49 MSD 2010
Problem:
old web application supporting SSLv2 only can't connect to the
web service migrated behind ssl-offloading nginx.
Analysis:
nginx considers connection as plain http. Traffic analysis using
various client options shows that 0x80 isn't the only possibility
to show up as first byte in ssl client hello.
Nginx code excerpt ( nginx-0.7.67, src/http/ngx_http_request.c:551 ):
if (buf[0] == 0x80 /* SSLv2 */ || buf[0] == 0x16 /* SSLv3/TLSv1
*/) {
^^
openssl code excerpt ( openssl-0.9.8k, as such version is installed on
server side, ssl/s23_srvr.c:268 ):
if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
^^
Difference in SSL logic detection underlined.
Solution:
Fix SSLv2 detection. Patch attached.
--
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
"A city is a large community where people are lonesome together."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: text/x-patch
Size: 460 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx/attachments/20100701/64f8f7ee/attachment-0001.bin>
More information about the nginx
mailing list