[PATCH] SSL support for the mail proxy module
Kunal Pariani
kpariani at zimbra.com
Wed Sep 10 21:29:53 UTC 2014
Based on your comments, Should i add all the ssl related directives in the http proxy module to the mail proxy module as part of this ? Mainly these ones below
proxy_ssl_ciphers
proxy_ssl_crl
proxy_ssl_name
proxy_ssl_server_name
proxy_ssl_session_reuse
proxy_ssl_protocols
proxy_ssl_trusted_certificate
proxy_ssl_verify
proxy_ssl_verify_depth
Thanks
-Kunal
----- Original Message -----
From: "Maxim Dounin" <mdounin at mdounin.ru>
To: "nginx-devel" <nginx-devel at nginx.org>
Sent: Monday, September 8, 2014 12:24:03 PM
Subject: Re: [PATCH] SSL support for the mail proxy module
Hello!
On Mon, Sep 08, 2014 at 10:19:17AM -0700, Quanah Gibson-Mount wrote:
> --On Friday, August 22, 2014 5:13 PM -0500 Kunal Pariani
> <kpariani at zimbra.com> wrote:
>
> >
> >
> >Any comments on this yet ?
>
> Any nginx developers who could comment on this?
Some obvious problems with the patch:
- it's corrupted by author's mail client, and hence can't be
applied/tested;
- there are various style violations, like C++-style comments;
- it introduces yet another "SSL without certificate verification"
case, which is believed to be bad (similar thing was recently
resolved by introducing proxy_ssl_verify in the http proxy
module);
Some more comments below.
[...]
> >+ // don't support SSLv2 anymore
> >
> >+ if (ngx_ssl_create(pcf->ssl, NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
> >
> >+ != NGX_OK) {
It is incorrect to support SSLv3 and TLSv1 only. By default
NGX_SSL_TLSv1_1 and NGX_SSL_TLSv1_2 should be allowed, too. It's
also may be a good idea to make this configurable like in http
proxy module.
Also, 2 style issues here: "//" comment and incorrectly placed
"{".
[...]
> >+ if (ngx_ssl_create_connection(pcf->ssl, c,
> >
> >+ NGX_SSL_BUFFER|NGX_SSL_CLIENT)
> >
> >+ != NGX_OK)
> >
> >+ {
The NGX_SSL_BUFFER is incorrect here. It won't currently make any
difference as the code only uses c->recv() / c->send(), but
nevertheless mail protocols doesn't assume buffering, and the mail
module doesn't use NGX_SSL_BUFFER in ngx_ssl_create_connection()
calls intentionally.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
More information about the nginx-devel
mailing list