SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused, no longer necessary and/or not really working bug workarounds along with the SSL options and defines for them. Instead of fixing nginx build after each removal, be proactive and guard use of all SSL options for bug workarounds. Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
This commit is contained in:
parent
a3703b9cfe
commit
b2b1381cb6
1 changed files with 18 additions and 1 deletions
|
@ -206,13 +206,23 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|||
|
||||
/* client side options */
|
||||
|
||||
#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
|
||||
#endif
|
||||
|
||||
/* server side options */
|
||||
|
||||
#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
|
||||
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
|
||||
|
@ -223,10 +233,17 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|||
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_TLS_D5_BUG
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
||||
#endif
|
||||
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
|
||||
|
||||
|
|
Loading…
Reference in a new issue