Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 5823:275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.
Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
author | Piotr Sikora <piotr@cloudflare.com> |
---|---|
date | Wed, 03 Sep 2014 14:49:55 -0700 |
parents | e0eaf2d92a8c |
children | ca63fc5ed9b1 |
comparison
equal
deleted
inserted
replaced
5822:063f7e75f9ef | 5823:275e35d54626 |
---|---|
204 | 204 |
205 ssl->buffer_size = NGX_SSL_BUFSIZE; | 205 ssl->buffer_size = NGX_SSL_BUFSIZE; |
206 | 206 |
207 /* client side options */ | 207 /* client side options */ |
208 | 208 |
209 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG | |
209 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); | 210 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
211 #endif | |
212 | |
213 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG | |
210 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); | 214 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
215 #endif | |
211 | 216 |
212 /* server side options */ | 217 /* server side options */ |
213 | 218 |
219 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
214 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); | 220 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
221 #endif | |
222 | |
223 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
215 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); | 224 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
225 #endif | |
216 | 226 |
217 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING | 227 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING |
218 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ | 228 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ |
219 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); | 229 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); |
220 #endif | 230 #endif |
221 | 231 |
222 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG | 232 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
223 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); | 233 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
224 #endif | 234 #endif |
225 | 235 |
236 #ifdef SSL_OP_TLS_D5_BUG | |
226 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); | 237 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
238 #endif | |
239 | |
240 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG | |
227 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); | 241 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
228 | 242 #endif |
243 | |
244 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | |
229 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | 245 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
246 #endif | |
230 | 247 |
231 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); | 248 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
232 | 249 |
233 if (!(protocols & NGX_SSL_SSLv2)) { | 250 if (!(protocols & NGX_SSL_SSLv2)) { |
234 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); | 251 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |