[PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora piotr at cloudflare.com
Fri Jul 25 11:48:51 UTC 2014


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1406288796 25200
#      Fri Jul 25 04:46:36 2014 -0700
# Node ID fa9bca0cb2876eb57048644aa4af15d1e6c85d26
# Parent  c3b08217f2a24f4531e578082dff498d85818cf0
Proxy: add "proxy_ssl_padding" directive.

This change adds support for the TLS padding extension (the workaround
for the "TLS hang bug"), which might be necessary in order to establish
SSL connection with upstream servers with and/or behind broken SSL stack.

Previously, it was possible to connect to such servers only by reducing
size of the ClientHello message to below 256 bytes (by reducing number
of advertised cipher suites, removing support for newer SSL protocols
and/or removing the Server Name Indication extension).

Requires OpenSSL-1.0.1h+.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r c3b08217f2a2 -r fa9bca0cb287 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c	Thu Jul 24 16:25:07 2014 +0400
+++ b/src/http/modules/ngx_http_proxy_module.c	Fri Jul 25 04:46:36 2014 -0700
@@ -84,6 +84,7 @@ typedef struct {
     ngx_uint_t                     ssl_verify_depth;
     ngx_str_t                      ssl_trusted_certificate;
     ngx_str_t                      ssl_crl;
+    ngx_flag_t                     ssl_padding;
 #endif
 } ngx_http_proxy_loc_conf_t;
 
@@ -164,6 +165,10 @@ static char *ngx_http_proxy_cache_key(ng
 #endif
 
 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_padding_check(ngx_conf_t *cf, void *post,
+    void *data);
+#endif
 
 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
     ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
@@ -177,6 +182,10 @@ static void ngx_http_proxy_set_vars(ngx_
 
 static ngx_conf_post_t  ngx_http_proxy_lowat_post =
     { ngx_http_proxy_lowat_check };
+#if (NGX_HTTP_SSL)
+static ngx_conf_post_t  ngx_http_proxy_ssl_padding_post =
+    { ngx_http_proxy_ssl_padding_check };
+#endif
 
 
 static ngx_conf_bitmask_t  ngx_http_proxy_next_upstream_masks[] = {
@@ -598,6 +607,13 @@ static ngx_command_t  ngx_http_proxy_com
       offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
       NULL },
 
+    { ngx_string("proxy_ssl_padding"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_padding),
+      &ngx_http_proxy_ssl_padding_post },
+
 #endif
 
       ngx_null_command
@@ -2495,6 +2511,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
     conf->upstream.ssl_server_name = NGX_CONF_UNSET;
     conf->upstream.ssl_verify = NGX_CONF_UNSET;
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+    conf->ssl_padding = NGX_CONF_UNSET;
 #endif
 
     /* "proxy_cyclic_temp_file" is disabled */
@@ -2791,6 +2808,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                               prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+    ngx_conf_merge_value(conf->ssl_padding, prev->ssl_padding, 0);
 
     if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
@@ -3824,6 +3842,18 @@ ngx_http_proxy_lowat_check(ngx_conf_t *c
 
 #if (NGX_HTTP_SSL)
 
+static char *
+ngx_http_proxy_ssl_padding_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_OP_TLSEXT_PADDING
+    ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+                       "\"proxy_ssl_padding\" is not supported, ignored");
+#endif
+
+    return NGX_CONF_OK;
+}
+
+
 static ngx_int_t
 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
 {
@@ -3880,6 +3910,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         }
     }
 
+#ifdef SSL_OP_TLSEXT_PADDING
+    if (plcf->ssl_padding) {
+        SSL_CTX_set_options(plcf->upstream.ssl->ctx, SSL_OP_TLSEXT_PADDING);
+    }
+#endif
+
     return NGX_OK;
 }
 



More information about the nginx-devel mailing list