id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 461 Client: OpenSSL SSLv2 options set even with SSL_OP_NO_SSLv2 Jeffrey Walton "SSL_OP_NO_SSLv2 precludes SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG. From ngx_event_openssl.c, around line 180: {{{ /* client side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); ... if (!(protocols & NGX_SSL_SSLv2)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); } if (!(protocols & NGX_SSL_SSLv3)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); } if (!(protocols & NGX_SSL_TLSv1)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); } }}} Perhaps something like the following would be useful for clients: {{{ if (protocols & NGX_SSL_SSLv2) { SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); } }}} if is included, then the following can also be used to exclude the SSLv2 and SSLv3 stuff: {{{ $ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep -i ssl 2329:# if defined(OPENSSL_NO_SSLV2) && !defined(NO_SSLV2) 2382:# define NO_SSLV2 2401-# endif -- 2409:# if defined(OPENSSL_NO_SSLV3) && !defined(NO_SSLV3) 2462:# define NO_SSLV3 2481-# endif }}}" defect closed minor nginx-core worksforme "$ uname -a Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64" "$ objs/nginx -V nginx version: nginx/1.4.4 configure arguments:"