Hello, while OpenSSL-1.0.1f isn't released just yet, the change that removes SSL_OP_MSIE_SSLV2_RSA_PADDING is already backported to OpenSSL_1_0_1-stable branch and I believe that it's better to proactively guard against this than to wait for people to complain that nginx doesn't compile with new OpenSSL.
Best regards, Piotr Sikora # HG changeset patch # User Piotr Sikora <[email protected]> # Date 1379366678 25200 # Mon Sep 16 14:24:38 2013 -0700 # Node ID a73678f5f96ffead0b616b2c03dfcfd5445d443b # Parent cec155f07c84953138455b65dfe678bb514e33ca SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING. This option had no effect since 0.9.7h / 0.9.8b and it was removed in recent OpenSSL. Signed-off-by: Piotr Sikora <[email protected]> diff -r cec155f07c84 -r a73678f5f96f src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Mon Sep 16 18:49:23 2013 +0400 +++ b/src/event/ngx_event_openssl.c Mon Sep 16 14:24:38 2013 -0700 @@ -185,8 +185,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); +#endif SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
