[PATCH] SSL: guard use of all SSL options for bug workarounds
Richard Fussenegger, BSc
richard at fussenegger.info
Tue Sep 9 15:56:37 UTC 2014
On 9/9/2014 4:47 AM, Maxim Dounin wrote:
> What make you think that there are any vulnerabilities? As far as
> I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
> compilation with) is still commercially supported as a part of at
> least one OS, and will be supported till 2017.
>
> Even if there are, SSL isn't the only reason to compile nginx with
> OpenSSL. Some just need MD5/SHA1 from OpenSSL for various uses
> within nginx itself, and some just use a single packet for
> everything - and any version of OpenSSL will do as long as it
> compiles, as SSL isn't used at all.
I didn't think of situations in which no SSL/TLS is in use and of course
the usage of old versions isn't an issue as long as they are secure (the
performance argument is nullified because no SSL/TLS is in use).
> And that's another part of the problem: if they won't be able to
> update nginx, they won't update it. And that's not we want to
> happen - instead, we want them to update nginx even if they stick
> to some old libraries for some reason. And make this as painless
> as possible.
Of course this policy makes sense. But sometimes it would be a very good
idea to stop supporting some technologies, e.g. SSLv2. Simply to help
the web evolve and get rid of old insecure technologies. Nginx is now
playing a leading role and can dictate or help in such matters. Even if
that means that some pain in upgrades in introduced.
> I think you overestimate positive impact of not supporting old OpenSSL
> versions, and underestimate negative impact of this.
Seems so, but if maintenance is getting more complicated with supporting
multiple forks it might become necessary. Or maybe it might be necessary
to reduce the amount of supported forks. Although I don't think that
this is a good idea because the forks seem to be introducing a lot of
interesting stuff in the future. I'm especially looking at BoringSSL and
the reduction of memory consumption per connection that Google was
talking about that they might bring to the library.
Richard
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
More information about the nginx-devel
mailing list