[PATCH] SSL support for the mail proxy module
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 8 19:24:03 UTC 2014
Hello!
On Mon, Sep 08, 2014 at 10:19:17AM -0700, Quanah Gibson-Mount wrote:
> --On Friday, August 22, 2014 5:13 PM -0500 Kunal Pariani
> <kpariani at zimbra.com> wrote:
>
> >
> >
> >Any comments on this yet ?
>
> Any nginx developers who could comment on this?
Some obvious problems with the patch:
- it's corrupted by author's mail client, and hence can't be
applied/tested;
- there are various style violations, like C++-style comments;
- it introduces yet another "SSL without certificate verification"
case, which is believed to be bad (similar thing was recently
resolved by introducing proxy_ssl_verify in the http proxy
module);
Some more comments below.
[...]
> >+ // don't support SSLv2 anymore
> >
> >+ if (ngx_ssl_create(pcf->ssl, NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
> >
> >+ != NGX_OK) {
It is incorrect to support SSLv3 and TLSv1 only. By default
NGX_SSL_TLSv1_1 and NGX_SSL_TLSv1_2 should be allowed, too. It's
also may be a good idea to make this configurable like in http
proxy module.
Also, 2 style issues here: "//" comment and incorrectly placed
"{".
[...]
> >+ if (ngx_ssl_create_connection(pcf->ssl, c,
> >
> >+ NGX_SSL_BUFFER|NGX_SSL_CLIENT)
> >
> >+ != NGX_OK)
> >
> >+ {
The NGX_SSL_BUFFER is incorrect here. It won't currently make any
difference as the code only uses c->recv() / c->send(), but
nevertheless mail protocols doesn't assume buffering, and the mail
module doesn't use NGX_SSL_BUFFER in ngx_ssl_create_connection()
calls intentionally.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list