aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPiotr Sikora <piotr@cloudflare.com>2014-09-03 14:49:55 -0700
committerPiotr Sikora <piotr@cloudflare.com>2014-09-03 14:49:55 -0700
commit2af7181b3bb5b4bd84ca448f300c6aaf3dff4681 (patch)
treedf119096d0be2e27f0d3c63bd6ddf93dcb67fd2b /src
parentc0b3b9d6ca9e43bb4cb9f9720c467ce1dadf103a (diff)
downloadnginx-2af7181b3bb5b4bd84ca448f300c6aaf3dff4681.tar.gz
nginx-2af7181b3bb5b4bd84ca448f300c6aaf3dff4681.zip
SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused, no longer necessary and/or not really working bug workarounds along with the SSL options and defines for them. Instead of fixing nginx build after each removal, be proactive and guard use of all SSL options for bug workarounds. Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Diffstat (limited to 'src')
-rw-r--r--src/event/ngx_event_openssl.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index bb82143d3..fa7cc15e1 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -206,13 +206,23 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
/* client side options */
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
+#endif
/* server side options */
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
+#endif
+
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
+#endif
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
@@ -223,10 +233,17 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
#endif
+#ifdef SSL_OP_TLS_D5_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
+#endif
+
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+#endif
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);