SSLv3 protocol with LibreSSL

Kuramoto Eiji ek at kuramoto.org
Thu Feb 26 11:00:57 UTC 2015


Hello,

At Tue, 24 Feb 2015 21:53:21 +0300,
Maxim Dounin wrote:
> I don't think we want LibreSSL-specific code like this.  
> Rather, I see two possible options:
> 
> 1) Respect LibreSSL decision to disable SSLv3 and don't do 
> anything.  That is, keep it as is.  This basically means that 
> there will be no SSLv3 support if you are using nginx with 
> LibreSSL.  Much like there is no SSLv2 support either, because it 
> was removed from LibreSSL.
> 
> 2) Clear all protocol options we know about.  This will ensure 
> that future changes like the one in LibreSSL will not affect 
> nginx:
> 
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -249,6 +249,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
>  
>      SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
>  
> +#ifdef SSL_CTRL_CLEAR_OPTIONS
> +    SSL_clear_options(ssl->ctx,
> +                      SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
> +#endif
> +
>      if (!(protocols & NGX_SSL_SSLv2)) {
>          SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
>      }
> @@ -259,11 +264,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
>          SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
>      }
>  #ifdef SSL_OP_NO_TLSv1_1
> +    SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
>      if (!(protocols & NGX_SSL_TLSv1_1)) {
>          SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
>      }
>  #endif
>  #ifdef SSL_OP_NO_TLSv1_2
> +    SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
>      if (!(protocols & NGX_SSL_TLSv1_2)) {
>          SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
>      }
> 
> Not sure which of the above I would prefer, as both variants have 
> their pros and cons.

Of course, I don't want to use SSLv2 and SSLv3 protocol, but ...
Some old mobile phones in Japan, can only use SSLv2 or SSLv3 protocol,
SSLv3 option is still required.

I would prefer #2 option, clear all protocol option like your patch.

Thanks.

- Kuramoto Eiji



More information about the nginx-devel mailing list