[PATCH] Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround

Maxim Dounin mdounin at mdounin.ru
Sat Dec 4 05:43:22 MSK 2010


# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1291430303 -10800
# Node ID de5c7db8d43baaed219e56ce97728db47370fa3e
# Parent  0ba8b1344f121fae0b5d2002ffdf4327053ec1ff
Don't use SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG workaround.

This used to be a workaround for old Netscape browsers and servers.  As of
OpenSSL 0.9.8q and 1.0.0c, this option has no effect.

See CVE-2010-4180 and OpenSSL's advisory here:

http://www.openssl.org/news/secadv_20101202.txt

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -155,7 +155,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
 
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
-    SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
 
     /* server side options */
 



More information about the nginx-devel mailing list