Opened 7 years ago

Closed 7 years ago

#461 closed defect (worksforme)

Client: OpenSSL SSLv2 options set even with SSL_OP_NO_SSLv2

Reported by: Jeffrey Walton Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a: $ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
nginx -V: $ objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:

Description

SSL_OP_NO_SSLv2 precludes SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG.

From ngx_event_openssl.c, around line 180:

    /* client side options */

    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
    SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);

    ...

    if (!(protocols & NGX_SSL_SSLv2)) {
        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
    }
    if (!(protocols & NGX_SSL_SSLv3)) {
        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
    }
    if (!(protocols & NGX_SSL_TLSv1)) {
        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
    }

Perhaps something like the following would be useful for clients:

    if (protocols & NGX_SSL_SSLv2) {
        SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
        SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
    }

if <openssl/opensslconf.h> is included, then the following can also be used to exclude the SSLv2 and SSLv3 stuff:

$ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep -i ssl
2329:# if defined(OPENSSL_NO_SSLV2) && !defined(NO_SSLV2)
2382:#  define NO_SSLV2
2401-# endif
--
2409:# if defined(OPENSSL_NO_SSLV3) && !defined(NO_SSLV3)
2462:#  define NO_SSLV3
2481-# endif

Change History (1)

comment:1 by Maxim Dounin, 7 years ago

Resolution: worksforme
Status: newclosed

It doesn't make sense. The SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG options don't affect operation if SSLv2 is disabled, and having them set is harmless.

Note: See TracTickets for help on using tickets.