[PATCH] Proxy: add "proxy_ssl_padding" directive
Maxim Dounin
mdounin at mdounin.ru
Fri Jul 25 15:56:27 UTC 2014
Hello!
On Fri, Jul 25, 2014 at 04:48:51AM -0700, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1406288796 25200
> # Fri Jul 25 04:46:36 2014 -0700
> # Node ID fa9bca0cb2876eb57048644aa4af15d1e6c85d26
> # Parent c3b08217f2a24f4531e578082dff498d85818cf0
> Proxy: add "proxy_ssl_padding" directive.
>
> This change adds support for the TLS padding extension (the workaround
> for the "TLS hang bug"), which might be necessary in order to establish
> SSL connection with upstream servers with and/or behind broken SSL stack.
>
> Previously, it was possible to connect to such servers only by reducing
> size of the ClientHello message to below 256 bytes (by reducing number
> of advertised cipher suites, removing support for newer SSL protocols
> and/or removing the Server Name Indication extension).
>
> Requires OpenSSL-1.0.1h+.
And it is also known to cause problems with some other broken
SSL stacks:
https://bugzilla.mozilla.org/show_bug.cgi?id=989062
https://rt.openssl.org/Ticket/Display.html?id=3336
So it doesn't looks like a good candidate for enabling
unconditionally, like we do with other workaround options. On the
other hand, I don't think it worth adding a configuration
directive to control it. We've recently introduced
proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate
issues with such broken servers, and it should be enough.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list