Hello! On Mon, Sep 08, 2014 at 11:48:28PM +0200, Richard Fussenegger, BSc wrote:
> On 9/8/2014 7:22 PM, Maxim Dounin wrote: > >Hello! > > > >On Mon, Sep 08, 2014 at 01:01:02PM +0200, Richard Fussenegger, BSc wrote: > > > >>Wouldn't it be better to drop support for ancient OpenSSL versions? It would > >>be a great step for performance and security. Are there any good reasons to > >>support old OpenSSL versions? > >Dropping support doesn't changes anything for ones who uses modern > >versions of the OpenSSL library. And will upset ones who, for > >some reason, have to use old versions. > > > >The only benefit of dropping support for older OpenSSL versions is > >slightly lower code maintenance costs on nginx side. > The nginx project could be a forerunner by removing support. Of course you > would upset some admins but you know as well as I that many of those could > easily upgrade but are unwilling to do so. If they can stick to outdated > OpenSSL versions that have SERIOUS vulnerabilities regarding security and > performance, What make you think that there are any vulnerabilities? As far as I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports compilation with) is still commercially supported as a part of at least one OS, and will be supported till 2017. Even if there are, SSL isn't the only reason to compile nginx with OpenSSL. Some just need MD5/SHA1 from OpenSSL for various uses within nginx itself, and some just use a single packet for everything - and any version of OpenSSL will do as long as it compiles, as SSL isn't used at all. I personally more or less regularly test nginx on a system with OpenSSL 0.9.7d - and I'm fine as long as it compiles, as it's a test virtual machine. > why would they need an updated nginx? Honestly, I don't And that's another part of the problem: if they won't be able to update nginx, they won't update it. And that's not we want to happen - instead, we want them to update nginx even if they stick to some old libraries for some reason. And make this as painless as possible. > understand this kind of politics. It would be much better to implement a > policy that says (e.g.) current nginx versions supports two versions back of > OpenSSL from the time of release of both. That would be a clear rule that > anyone can easily understand and it would ensure proper updates and fixes > for security problems of the complete Internet infrastructure. I think that As of now, minimum supported OpenSSL version is 0.9.7, and this is documented in http://nginx.org/en/CHANGES. That's certainly a clear rule that anyone can easily understand. We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7 compatibility, but that's all we can do now without introducing a lot of trouble: various major OSes are shipped with 0.9.8*, and 0.9.8 branch is still supported by OpenSSL. > you underestimate the scope of engagement that nginx is playing now as > second most used web server of the world. I think that the project should > take that role much more serious. (Please don't answer with some like "but > Apache httpd", the project shouldn't reiterate problems of other projects.) I think you overestimate positive impact of not supporting old OpenSSL versions, and underestimate negative impact of this. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
