Hi Mark,
> I'm running into a lot of the same error as was reported in the forum > at: http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html > >> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or > bad record mac > > I've got an nginx server doing front-end SSL, with the upstream also > over SSL and also nginx (fronting Apache). They're all running 1.5.13 > (all Precise 64-bit), so I can goof with various options like > ssl_buffer_size. These are running SSL-enabled web sites for my > customers. > > I'm curious if there is any workaround for this besides patching > openssl, as mentioned a couple of weeks ago > in http://trac.nginx.org/nginx/ticket/215 A patch was committed to openssl [1] and backported to the openssl-1.0.1 stable branch [2], meaning that the next openssl release (1.0.1h) will contain the fix. You can: - cherry-pick the fix and apply it on 1.0.1g - use the 1.0.1 stable git branch - asking your openssl package maintainer to backport the fix (its security relevant, see CVE-2010-5298 [3]) The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the patch soon, also see [5] and [6]. Regards, Lukas [1] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d1f4b0f3d262edf1cf7023a01d5404945035d5 [2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=725c5f1ad393a7bc344348d0ec7c268aaf2700a7 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 [4] http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch [5] https://www.debian.org/security/2014/dsa-2908 [6] http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5298.html _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
