[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side
Piotr Sikora
piotr at cloudflare.com
Wed Sep 3 21:53:25 UTC 2014
# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1409780995 25200
# Wed Sep 03 14:49:55 2014 -0700
# Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
# Parent 3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: enable CBC 1/n-1 record splitting on the client side.
This is currently available only in BoringSSL, where it replaced
CBC 0/n record splitting (empty fragments), which is disabled in
nginx due to the (legacy?) interoperability issues.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c Wed Sep 03 14:49:55 2014 -0700
@@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
if (flags & NGX_SSL_CLIENT) {
SSL_set_connect_state(sc->connection);
+#ifdef SSL_MODE_CBC_RECORD_SPLITTING
+ SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
+#endif
+
} else {
SSL_set_accept_state(sc->connection);
}
More information about the nginx-devel
mailing list