[PATCH] SSL support for the mail proxy module

Kunal Pariani kpariani at zimbra.com
Wed Sep 10 21:29:53 UTC 2014


Based on your comments, Should i add all the ssl related directives in the http proxy module to the mail proxy module as part of this ? Mainly these ones below

     proxy_ssl_ciphers
     proxy_ssl_crl
     proxy_ssl_name
     proxy_ssl_server_name
     proxy_ssl_session_reuse
     proxy_ssl_protocols
     proxy_ssl_trusted_certificate
     proxy_ssl_verify
     proxy_ssl_verify_depth

Thanks
-Kunal
----- Original Message -----
From: "Maxim Dounin" <mdounin at mdounin.ru>
To: "nginx-devel" <nginx-devel at nginx.org>
Sent: Monday, September 8, 2014 12:24:03 PM
Subject: Re: [PATCH] SSL support for the mail proxy module

Hello!

On Mon, Sep 08, 2014 at 10:19:17AM -0700, Quanah Gibson-Mount wrote:

> --On Friday, August 22, 2014 5:13 PM -0500 Kunal Pariani
> <kpariani at zimbra.com> wrote:
> 
> >
> >
> >Any comments on this yet ?
> 
> Any nginx developers who could comment on this?

Some obvious problems with the patch:

- it's corrupted by author's mail client, and hence can't be 
  applied/tested;

- there are various style violations, like C++-style comments;

- it introduces yet another "SSL without certificate verification" 
  case, which is believed to be bad (similar thing was recently 
  resolved by introducing proxy_ssl_verify in the http proxy 
  module);

Some more comments below.

[...]

> >+    // don't support SSLv2 anymore
> >
> >+    if (ngx_ssl_create(pcf->ssl, NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
> >
> >+            != NGX_OK) {

It is incorrect to support SSLv3 and TLSv1 only.  By default 
NGX_SSL_TLSv1_1 and NGX_SSL_TLSv1_2 should be allowed, too.  It's 
also may be a good idea to make this configurable like in http 
proxy module.

Also, 2 style issues here: "//" comment and incorrectly placed 
"{".

[...]

> >+    if (ngx_ssl_create_connection(pcf->ssl, c,
> >
> >+                                  NGX_SSL_BUFFER|NGX_SSL_CLIENT)
> >
> >+        != NGX_OK)
> >
> >+    {

The NGX_SSL_BUFFER is incorrect here.  It won't currently make any 
difference as the code only uses c->recv() / c->send(), but 
nevertheless mail protocols doesn't assume buffering, and the mail 
module doesn't use NGX_SSL_BUFFER in ngx_ssl_create_connection() 
calls intentionally. 

-- 
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel



More information about the nginx-devel mailing list