Opened 11 years ago
Closed 11 years ago
#461 closed defect (worksforme)
Client: OpenSSL SSLv2 options set even with SSL_OP_NO_SSLv2
Reported by: | Jeffrey Walton | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | |
Keywords: | Cc: | ||
uname -a: |
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 |
||
nginx -V: |
$ objs/nginx -V
nginx version: nginx/1.4.4 configure arguments: |
Description
SSL_OP_NO_SSLv2 precludes SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG.
From ngx_event_openssl.c, around line 180:
/* client side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); ... if (!(protocols & NGX_SSL_SSLv2)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); } if (!(protocols & NGX_SSL_SSLv3)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); } if (!(protocols & NGX_SSL_TLSv1)) { SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); }
Perhaps something like the following would be useful for clients:
if (protocols & NGX_SSL_SSLv2) { SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); }
if <openssl/opensslconf.h> is included, then the following can also be used to exclude the SSLv2 and SSLv3 stuff:
$ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep -i ssl 2329:# if defined(OPENSSL_NO_SSLV2) && !defined(NO_SSLV2) 2382:# define NO_SSLV2 2401-# endif -- 2409:# if defined(OPENSSL_NO_SSLV3) && !defined(NO_SSLV3) 2462:# define NO_SSLV3 2481-# endif
Note:
See TracTickets
for help on using tickets.
It doesn't make sense. The SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG options don't affect operation if SSLv2 is disabled, and having them set is harmless.