[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Piotr Sikora Wed, 03 Sep 2014 14:54:02 -0700

# HG changeset patch
# User Piotr Sikora <pi...@cloudflare.com>
# Date 1409780995 25200
#      Wed Sep 03 14:49:55 2014 -0700
# Node ID 2d40a7b1e3bc01777fcae9576b3860e70ca273bb
# Parent  3f5f0ab59b359064db16e1aa52dfca335720dff6
SSL: enable CBC 1/n-1 record splitting on the client side.


This is currently available only in BoringSSL, where it replaced
CBC 0/n record splitting (empty fragments), which is disabled in
nginx due to the (legacy?) interoperability issues.

Signed-off-by: Piotr Sikora <pi...@cloudflare.com>

diff -r 3f5f0ab59b35 -r 2d40a7b1e3bc src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c     Mon Sep 01 18:20:18 2014 +0400
+++ b/src/event/ngx_event_openssl.c     Wed Sep 03 14:49:55 2014 -0700
@@ -972,6 +972,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
     if (flags & NGX_SSL_CLIENT) {
         SSL_set_connect_state(sc->connection);
 
+#ifdef SSL_MODE_CBC_RECORD_SPLITTING
+        SSL_set_mode(sc->connection, SSL_MODE_CBC_RECORD_SPLITTING);
+#endif
+
     } else {
         SSL_set_accept_state(sc->connection);
     }

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] SSL: enable CBC 1/n-1 record splitting on the client side

Reply via email to