SSLv2 bad detection, patch
mjaw at ikp.pl
Thu Jul 1 19:00:49 MSD 2010
old web application supporting SSLv2 only can't connect to the
web service migrated behind ssl-offloading nginx.
nginx considers connection as plain http. Traffic analysis using
various client options shows that 0x80 isn't the only possibility
to show up as first byte in ssl client hello.
Nginx code excerpt ( nginx-0.7.67, src/http/ngx_http_request.c:551 ):
if (buf == 0x80 /* SSLv2 */ || buf == 0x16 /* SSLv3/TLSv1
openssl code excerpt ( openssl-0.9.8k, as such version is installed on
server side, ssl/s23_srvr.c:268 ):
if ((p & 0x80) && (p == SSL2_MT_CLIENT_HELLO))
Difference in SSL logic detection underlined.
Fix SSLv2 detection. Patch attached.
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
"A city is a large community where people are lonesome together."
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 460 bytes
Desc: not available
More information about the nginx