[PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin mdounin at mdounin.ru
Mon Sep 8 17:12:38 UTC 2014


Hello!

On Mon, Sep 08, 2014 at 01:06:15AM -0700, Piotr Sikora wrote:

> Hey Maxim,
> 
> > After looking into http://trac.nginx.org/nginx/ticket/618,
> > I'm rather sceptical about BoringSSL-related fixes.
> 
> To be fair, it was a regression that was fixed pretty fast once reported.

The question is how many other such regressions was introduced and 
not yet reported.

> > On the other hand, if they indeed remove something we use, it may
> > be a good enough reason to reconsider the use of the flags
> > removed.
> 
> Most of the defines that they removed (SSL_OP_MICROSOFT_SESS_ID_BUG,
> SSL_OP_NETSCAPE_CHALLENGE_BUG, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG and
> SSL_OP_MSIE_SSLV2_RSA_PADDING) were for options that were removed from
> BoringSSL along SSLv2 support.
> 
> They also removed SSL_OP_TLS_BLOCK_PADDING_BUG, which was broken for a
> while and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, which nginx uses to
> disable CBC 0/n record splitting, which they replaced with CBC 1/n-1
> record splitting that is not enabled by default (see my other patch).
> 
> This, however, doesn't mean that those options aren't doing anything
> in OpenSSL (or LibreSSL, for that matter), especially when you insist
> on supporting ancient versions of OpenSSL, so I don't think that we
> should remove them from nginx.

Ok, it looks like there are no reasons to remove workarounds in 
question.  And as SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and 
SSL_OP_TLS_D5_BUG are the only remaining workarounds without 
guards, it make sense to just use #ifdef's for all of them.

Committed, thanks.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list