[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Piotr Sikora piotr at cloudflare.com
Wed Sep 3 21:53:25 UTC 2014


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1409780995 25200
#      Wed Sep 03 14:49:55 2014 -0700
# Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
# Parent  3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: enable CBC 1/n-1 record splitting on the client side.

This is currently available only in BoringSSL, where it replaced
CBC 0/n record splitting (empty fragments), which is disabled in
nginx due to the (legacy?) interoperability issues.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Wed Sep 03 14:49:55 2014 -0700
@@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
     if (flags & NGX_SSL_CLIENT) {
         SSL_set_connect_state(sc->connection);
 
+#ifdef SSL_MODE_CBC_RECORD_SPLITTING
+        SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
+#endif
+
     } else {
         SSL_set_accept_state(sc->connection);
     }



More information about the nginx-devel mailing list