[PATCH] SSL: guard use of all SSL options for bug workarounds

Richard Fussenegger, BSc richard at fussenegger.info
Mon Sep 8 21:48:28 UTC 2014


On 9/8/2014 7:22 PM, Maxim Dounin wrote:
> Hello!
>
> On Mon, Sep 08, 2014 at 01:01:02PM +0200, Richard Fussenegger, BSc wrote:
>
>> Wouldn't it be better to drop support for ancient OpenSSL versions? It would
>> be a great step for performance and security. Are there any good reasons to
>> support old OpenSSL versions?
> Dropping support doesn't changes anything for ones who uses modern
> versions of the OpenSSL library.  And will upset ones who, for
> some reason, have to use old versions.
>
> The only benefit of dropping support for older OpenSSL versions is
> slightly lower code maintenance costs on nginx side.
The nginx project could be a forerunner by removing support. Of course 
you would upset some admins but you know as well as I that many of those 
could easily upgrade but are unwilling to do so. If they can stick to 
outdated OpenSSL versions that have SERIOUS vulnerabilities regarding 
security and performance, why would they need an updated nginx? 
Honestly, I don't understand this kind of politics. It would be much 
better to implement a policy that says (e.g.) current nginx versions 
supports two versions back of OpenSSL from the time of release of both. 
That would be a clear rule that anyone can easily understand and it 
would ensure proper updates and fixes for security problems of the 
complete Internet infrastructure. I think that you underestimate the 
scope of engagement that nginx is playing now as second most used web 
server of the world. I think that the project should take that role much 
more serious. (Please don't answer with some like "but Apache httpd", 
the project shouldn't reiterate problems of other projects.)

And of course we could take the reduced maintenance costs and benefit 
from it.

Richard

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the nginx-devel mailing list