SSLv3 protocol with LibreSSL
Kuramoto Eiji
ek at kuramoto.org
Thu Feb 26 11:00:57 UTC 2015
Hello,
At Tue, 24 Feb 2015 21:53:21 +0300,
Maxim Dounin wrote:
> I don't think we want LibreSSL-specific code like this.
> Rather, I see two possible options:
>
> 1) Respect LibreSSL decision to disable SSLv3 and don't do
> anything. That is, keep it as is. This basically means that
> there will be no SSLv3 support if you are using nginx with
> LibreSSL. Much like there is no SSLv2 support either, because it
> was removed from LibreSSL.
>
> 2) Clear all protocol options we know about. This will ensure
> that future changes like the one in LibreSSL will not affect
> nginx:
>
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -249,6 +249,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
>
> SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
>
> +#ifdef SSL_CTRL_CLEAR_OPTIONS
> + SSL_clear_options(ssl->ctx,
> + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
> +#endif
> +
> if (!(protocols & NGX_SSL_SSLv2)) {
> SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
> }
> @@ -259,11 +264,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
> SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
> }
> #ifdef SSL_OP_NO_TLSv1_1
> + SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
> if (!(protocols & NGX_SSL_TLSv1_1)) {
> SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
> }
> #endif
> #ifdef SSL_OP_NO_TLSv1_2
> + SSL_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
> if (!(protocols & NGX_SSL_TLSv1_2)) {
> SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
> }
>
> Not sure which of the above I would prefer, as both variants have
> their pros and cons.
Of course, I don't want to use SSLv2 and SSLv3 protocol, but ...
Some old mobile phones in Japan, can only use SSLv2 or SSLv3 protocol,
SSLv3 option is still required.
I would prefer #2 option, clear all protocol option like your patch.
Thanks.
- Kuramoto Eiji
More information about the nginx-devel
mailing list