Opened 12 years ago
Closed 12 years ago
#461 closed defect (worksforme)
Client: OpenSSL SSLv2 options set even with SSL_OP_NO_SSLv2
| Reported by: | Jeffrey Walton | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | Cc: | ||
| uname -a: |
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 |
||
| nginx -V: |
$ objs/nginx -V
nginx version: nginx/1.4.4 configure arguments: |
||
Description
SSL_OP_NO_SSLv2 precludes SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG.
From ngx_event_openssl.c, around line 180:
/* client side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
...
if (!(protocols & NGX_SSL_SSLv2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
if (!(protocols & NGX_SSL_SSLv3)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
}
if (!(protocols & NGX_SSL_TLSv1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
}
Perhaps something like the following would be useful for clients:
if (protocols & NGX_SSL_SSLv2) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
}
if <openssl/opensslconf.h> is included, then the following can also be used to exclude the SSLv2 and SSLv3 stuff:
$ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep -i ssl 2329:# if defined(OPENSSL_NO_SSLV2) && !defined(NO_SSLV2) 2382:# define NO_SSLV2 2401-# endif -- 2409:# if defined(OPENSSL_NO_SSLV3) && !defined(NO_SSLV3) 2462:# define NO_SSLV3 2481-# endif
Note:
See TracTickets
for help on using tickets.
It doesn't make sense. The SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG options don't affect operation if SSLv2 is disabled, and having them set is harmless.