[PATCH] Proxy: add "proxy_ssl_padding" directive
Piotr Sikora
piotr at cloudflare.com
Fri Jul 25 19:06:16 UTC 2014
Hey,
> And it is also known to cause problems with some other broken
> SSL stacks:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=989062
> https://rt.openssl.org/Ticket/Display.html?id=3336
>
> So it doesn't looks like a good candidate for enabling
> unconditionally, like we do with other workaround options.
Agreed, that's why I added it as an option.
> On the
> other hand, I don't think it worth adding a configuration
> directive to control it. We've recently introduced
> proxy_ssl_protocols and proxy_ssl_ciphers mostly to mitigate
> issues with such broken servers, and it should be enough.
Except that with "proxy_ssl_server_name" the ClientHello message can
be >256 even with only a single SSL protocol and cipher suite enabled.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list