[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side
Richard Fussenegger, BSc
richard at fussenegger.info
Thu Sep 4 08:28:39 UTC 2014
Definitely not a legacy interoperability issue, e.g.:
https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59
Even with the 1/n-1 many problems arise but at least not as much as with
the 0/n approach:
https://www.imperialviolet.org/2012/01/15/beastfollowup.html
Richard
On 9/3/2014 11:53 PM, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1409780995 25200
> # Wed Sep 03 14:49:55 2014 -0700
> # Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
> # Parent 3f5f0ab59b359064db16e1aa52dfca335720dff6
> SSL: enable CBC 1/n-1 record splitting on the client side.
>
> This is currently available only in BoringSSL, where it replaced
> CBC 0/n record splitting (empty fragments), which is disabled in
> nginx due to the (legacy?) interoperability issues.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Mon Sep 01 18:20:18 2014 +0400
> +++ b/src/event/ngx_event_openssl.c Wed Sep 03 14:49:55 2014 -0700
> @@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
> if (flags & NGX_SSL_CLIENT) {
> SSL_set_connect_state(sc->connection);
>
> +#ifdef SSL_MODE_CBC_RECORD_SPLITTING
> + SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
> +#endif
> +
> } else {
> SSL_set_accept_state(sc->connection);
> }
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140904/5bc6fe86/attachment.html>
More information about the nginx-devel
mailing list