[PATCH] SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.

Piotr Sikora piotr at cloudflare.com
Mon Sep 16 21:33:44 UTC 2013


Hello,
while OpenSSL-1.0.1f isn't released just yet, the change that
removes SSL_OP_MSIE_SSLV2_RSA_PADDING is already backported to
OpenSSL_1_0_1-stable branch and I believe that it's better to
proactively guard against this than to wait for people to
complain that nginx doesn't compile with new OpenSSL.

Best regards,
Piotr Sikora


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1379366678 25200
#      Mon Sep 16 14:24:38 2013 -0700
# Node ID a73678f5f96ffead0b616b2c03dfcfd5445d443b
# Parent  cec155f07c84953138455b65dfe678bb514e33ca
SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.

This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r cec155f07c84 -r a73678f5f96f src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c     Mon Sep 16 18:49:23 2013 +0400
+++ b/src/event/ngx_event_openssl.c     Mon Sep 16 14:24:38 2013 -0700
@@ -185,8 +185,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);

+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
     /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
+#endif

     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);



More information about the nginx-devel mailing list