[PATCH] SSL: guard use of all SSL options for bug workarounds

Richard Fussenegger, BSc richard at fussenegger.info
Tue Sep 9 15:56:37 UTC 2014


On 9/9/2014 4:47 AM, Maxim Dounin wrote:
> What make you think that there are any vulnerabilities?  As far as
> I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
> compilation with) is still commercially supported as a part of at
> least one OS, and will be supported till 2017.
>
> Even if there are, SSL isn't the only reason to compile nginx with
> OpenSSL.  Some just need MD5/SHA1 from OpenSSL for various uses
> within nginx itself, and some just use a single packet for
> everything - and any version of OpenSSL will do as long as it
> compiles, as SSL isn't used at all.
I didn't think of situations in which no SSL/TLS is in use and of course 
the usage of old versions isn't an issue as long as they are secure (the 
performance argument is nullified because no SSL/TLS is in use).

> And that's another part of the problem: if they won't be able to
> update nginx, they won't update it.  And that's not we want to
> happen - instead, we want them to update nginx even if they stick
> to some old libraries for some reason.  And make this as painless
> as possible.
Of course this policy makes sense. But sometimes it would be a very good 
idea to stop supporting some technologies, e.g. SSLv2. Simply to help 
the web evolve and get rid of old insecure technologies. Nginx is now 
playing a leading role and can dictate or help in such matters. Even if 
that means that some pain in upgrades in introduced.

> I think you overestimate positive impact of not supporting old OpenSSL 
> versions, and underestimate negative impact of this. 
Seems so, but if maintenance is getting more complicated with supporting 
multiple forks it might become necessary. Or maybe it might be necessary 
to reduce the amount of supported forks. Although I don't think that 
this is a good idea because the forks seem to be introducing a lot of 
interesting stuff in the future. I'm especially looking at BoringSSL and 
the reduction of memory consumption per connection that Google was 
talking about that they might bring to the library.

Richard

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the nginx-devel mailing list