SSLv2 bad detection, patch

Mirosław Jaworski mjaw at
Thu Jul 1 19:00:49 MSD 2010

old web application supporting SSLv2 only can't connect to the 
web service migrated behind ssl-offloading nginx.

nginx considers connection as plain http. Traffic analysis using
various client options shows that 0x80 isn't the only possibility
to show up as first byte in ssl client hello.

Nginx code excerpt ( nginx-0.7.67, src/http/ngx_http_request.c:551 ):
        if (buf[0] == 0x80 /* SSLv2 */ || buf[0] == 0x16 /* SSLv3/TLSv1
*/) {

openssl code excerpt ( openssl-0.9.8k, as such version is installed on
server side, ssl/s23_srvr.c:268 ):

                if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
Difference in SSL logic detection underlined.

Fix SSLv2 detection. Patch attached.

Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
      "A city is a large community where people are lonesome together."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: text/x-patch
Size: 460 bytes
Desc: not available
URL: <>

More information about the nginx mailing list