[PATCH] SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
Piotr Sikora
piotr at cloudflare.com
Mon Sep 16 21:33:44 UTC 2013
Hello,
while OpenSSL-1.0.1f isn't released just yet, the change that
removes SSL_OP_MSIE_SSLV2_RSA_PADDING is already backported to
OpenSSL_1_0_1-stable branch and I believe that it's better to
proactively guard against this than to wait for people to
complain that nginx doesn't compile with new OpenSSL.
Best regards,
Piotr Sikora
# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1379366678 25200
# Mon Sep 16 14:24:38 2013 -0700
# Node ID a73678f5f96ffead0b616b2c03dfcfd5445d443b
# Parent cec155f07c84953138455b65dfe678bb514e33ca
SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diff -r cec155f07c84 -r a73678f5f96f src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Sep 16 18:49:23 2013 +0400
+++ b/src/event/ngx_event_openssl.c Mon Sep 16 14:24:38 2013 -0700
@@ -185,8 +185,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
+#endif
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
More information about the nginx-devel
mailing list