[PATCH] SSL: guard use of all SSL options for bug workarounds

Alex alex at zeitgeist.se
Tue Sep 9 08:11:27 UTC 2014


On 2014-09-09 04:47, Maxim Dounin wrote:
> What make you think that there are any vulnerabilities?  As far as
> I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
> compilation with) is still commercially supported as a part of at
> least one OS, and will be supported till 2017.

Indeed. For example, OpenSSL before 1.0.1 (including the 0.9.8 and 0.9.7 
branches) were not vulnerable to Heartbleed. New versions bring new 
features which may also open room for new vulnerabilities. What's 
important is that long term distributions continue backport 
vulnerability fixes.

> We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7
> compatibility, but that's all we can do now without introducing a
> lot of trouble: various major OSes are shipped with 0.9.8*, and
> 0.9.8 branch is still supported by OpenSSL.

That would make sense. 0.9.7 isn't officially supported anymore (i.e. 
it's completely up to long term distributions to backport fixes). 0.9.8 
however still is, with the latest version being 0.9.8zb that was just 
released last month.

More information about the nginx-devel mailing list