Inquiry regarding support for OpenSSL 1.0.2i

Valentin V. Bartenev vbart at
Wed Sep 28 12:30:48 UTC 2016

On Wednesday 28 September 2016 17:34:58 jhernandez wrote:
> Hello,
> We've recently received a notification regarding a vulnerability in 
> OpenSSL:
> OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
> This is fixed in OpenSSL v1.0.2i
> We're running an Nginx proxy server on Windows 2012 R2 and are currently 
> using Nginx 1.9.9 - with OpenSSL 1.0.2e
> We do plan to upgrade to the latest stable nginx-1.10.1, but it seems 
> this version for Windows was compiled with OpenSSL 1.0.2*h*.
> Any idea when a new stable or mainline version will come out with 
> OpenSSL 1.0.2i support ?
> Alternatively, we're also looking to build a custom 1.10.1 with the 
> OpenSSL 1.0.2i library with the instructions here: 
> But we're not sure if 1.10.1 would support OpenSSL 1.0.2i. Has anyone 
> tried this approach before ?

  wbr, Valentin V. Bartenev

More information about the nginx mailing list