[PATCH] SSL: guard use of all SSL options for bug workarounds

Maxim Dounin mdounin at mdounin.ru
Tue Sep 9 02:47:23 UTC 2014 

Hello!

On Mon, Sep 08, 2014 at 11:48:28PM +0200, Richard Fussenegger, BSc wrote:

> On 9/8/2014 7:22 PM, Maxim Dounin wrote:
> >Hello!
> >
> >On Mon, Sep 08, 2014 at 01:01:02PM +0200, Richard Fussenegger, BSc wrote:
> >
> >>Wouldn't it be better to drop support for ancient OpenSSL versions? It would
> >>be a great step for performance and security. Are there any good reasons to
> >>support old OpenSSL versions?
> >Dropping support doesn't changes anything for ones who uses modern
> >versions of the OpenSSL library.  And will upset ones who, for
> >some reason, have to use old versions.
> >
> >The only benefit of dropping support for older OpenSSL versions is
> >slightly lower code maintenance costs on nginx side.
> The nginx project could be a forerunner by removing support. Of course you
> would upset some admins but you know as well as I that many of those could
> easily upgrade but are unwilling to do so. If they can stick to outdated
> OpenSSL versions that have SERIOUS vulnerabilities regarding security and
> performance,

What make you think that there are any vulnerabilities?  As far as 
I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports 
compilation with) is still commercially supported as a part of at 
least one OS, and will be supported till 2017.

Even if there are, SSL isn't the only reason to compile nginx with 
OpenSSL.  Some just need MD5/SHA1 from OpenSSL for various uses 
within nginx itself, and some just use a single packet for 
everything - and any version of OpenSSL will do as long as it 
compiles, as SSL isn't used at all.

I personally more or less regularly test nginx on a system with 
OpenSSL 0.9.7d - and I'm fine as long as it compiles, as it's a 
test virtual machine.

> why would they need an updated nginx? Honestly, I don't

And that's another part of the problem: if they won't be able to 
update nginx, they won't update it.  And that's not we want to 
happen - instead, we want them to update nginx even if they stick 
to some old libraries for some reason.  And make this as painless 
as possible.

> understand this kind of politics. It would be much better to implement a
> policy that says (e.g.) current nginx versions supports two versions back of
> OpenSSL from the time of release of both. That would be a clear rule that
> anyone can easily understand and it would ensure proper updates and fixes
> for security problems of the complete Internet infrastructure. I think that

As of now, minimum supported OpenSSL version is 0.9.7, and this is 
documented in http://nginx.org/en/CHANGES.  That's certainly a 
clear rule that anyone can easily understand.

We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7 
compatibility, but that's all we can do now without introducing a 
lot of trouble: various major OSes are shipped with 0.9.8*, and 
0.9.8 branch is still supported by OpenSSL.

> you underestimate the scope of engagement that nginx is playing now as
> second most used web server of the world. I think that the project should
> take that role much more serious. (Please don't answer with some like "but
> Apache httpd", the project shouldn't reiterate problems of other projects.)

I think you overestimate positive impact of not supporting old 
OpenSSL versions, and underestimate negative impact of this.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list