[PATCH] SSL: guard use of all SSL options for bug workarounds
Richard Fussenegger, BSc
richard at fussenegger.info
Mon Sep 8 21:48:28 UTC 2014
On 9/8/2014 7:22 PM, Maxim Dounin wrote:
> On Mon, Sep 08, 2014 at 01:01:02PM +0200, Richard Fussenegger, BSc wrote:
>> Wouldn't it be better to drop support for ancient OpenSSL versions? It would
>> be a great step for performance and security. Are there any good reasons to
>> support old OpenSSL versions?
> Dropping support doesn't changes anything for ones who uses modern
> versions of the OpenSSL library. And will upset ones who, for
> some reason, have to use old versions.
> The only benefit of dropping support for older OpenSSL versions is
> slightly lower code maintenance costs on nginx side.
The nginx project could be a forerunner by removing support. Of course
you would upset some admins but you know as well as I that many of those
could easily upgrade but are unwilling to do so. If they can stick to
outdated OpenSSL versions that have SERIOUS vulnerabilities regarding
security and performance, why would they need an updated nginx?
Honestly, I don't understand this kind of politics. It would be much
better to implement a policy that says (e.g.) current nginx versions
supports two versions back of OpenSSL from the time of release of both.
That would be a clear rule that anyone can easily understand and it
would ensure proper updates and fixes for security problems of the
complete Internet infrastructure. I think that you underestimate the
scope of engagement that nginx is playing now as second most used web
server of the world. I think that the project should take that role much
more serious. (Please don't answer with some like "but Apache httpd",
the project shouldn't reiterate problems of other projects.)
And of course we could take the reduced maintenance costs and benefit
This email is free from viruses and malware because avast! Antivirus protection is active.
More information about the nginx-devel