[PATCH] SSL: guard use of all SSL options for bug workarounds

Piotr Sikora piotr at cloudflare.com
Wed Sep 3 21:53:23 UTC 2014

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1409780995 25200
#      Wed Sep 03 14:49:55 2014 -0700
# Node ID 9c59138cd7030a88a761856f849c581924ca1a3b
# Parent  3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: guard use of all SSL options for bug workarounds.

Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 3f5f0ab59b35 -r 9c59138cd703 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Wed Sep 03 14:49:55 2014 -0700
@@ -206,13 +206,23 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     /* client side options */
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
     /* server side options */
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
     /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
@@ -223,10 +233,17 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
+#ifdef SSL_OP_TLS_D5_BUG
     SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);

More information about the nginx-devel mailing list