[nginx] Proxy: added the "proxy_ssl_protocols" directive.

Maxim Dounin mdounin at mdounin.ru
Mon Sep 23 13:06:57 UTC 2013


Hello!

On Sun, Sep 22, 2013 at 10:47:05PM -0700, Piotr Sikora wrote:

> Hi Andrei,
> 
> > +#if (NGX_HTTP_SSL)
> > +
> > +static ngx_conf_bitmask_t  ngx_http_proxy_ssl_protocols[] = {
> > +    { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
> > +    { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
> > +    { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
> > +    { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
> > +    { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
> > +    { ngx_null_string, 0 }
> > +};
> > +
> > +#endif
> 
> I'm a bit biased, because I was cleaning up patchset with
> "proxy_ssl_protocols" and "proxy_ssl_ciphers" directives to send to
> the mailing list when you committed this, but wouldn't it make more
> sense to either expose & reuse ngx_http_ssl_protocols or ideally push
> this and other definitions back to ngx_event_openssl module instead of
> having exactly the same bitmask & NGX_DEFAULT_CIPHERS defined in 3
> different places (ngx_http_ssl_module, ngx_http_proxy_ssl_module &
> ngx_mail_ssl_module)?

As of now, ngx_event_openssl.c mostly doesn't know about 
configuration parsing (the only exception seems to be ngx_conf_t 
used by ngx_ssl_certificate() and others to expand file name).  
Please also note that ngx_event_openssl isn't a module, but rather 
an SSL-library interface.  While moving ssl protocols list into 
ngx_event_openssl.[ch] is possible, it's certainly not how things 
are currently done.

BTW, could you please clarify reasons for proxy_ssl_ciphers?  
Andrei added proxy_ssl_protocols mostly as a workaround, because 
previously used default resulted in connection failures with some 
backends as seen by our customer.  Not sure if adding 
proxy_ssl_ciphers worth the effort from this point of view, and 
actually that's why I stopped myself from asking him to add it.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list