On Tue, Apr 29, 2014 at 4:36 PM, Lukas Tribus <[email protected]> wrote:
> Hi Mark, > > > > I'm running into a lot of the same error as was reported in the forum > > at: > http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html > > > >> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or > > bad record mac > > > > I've got an nginx server doing front-end SSL, with the upstream also > > over SSL and also nginx (fronting Apache). They're all running 1.5.13 > > (all Precise 64-bit), so I can goof with various options like > > ssl_buffer_size. These are running SSL-enabled web sites for my > > customers. > > > > I'm curious if there is any workaround for this besides patching > > openssl, as mentioned a couple of weeks ago > > in http://trac.nginx.org/nginx/ticket/215 > > > A patch was committed to openssl [1] and backported to the openssl-1.0.1 > stable branch [2], meaning that the next openssl release (1.0.1h) will > contain the fix. > > You can: > - cherry-pick the fix and apply it on 1.0.1g > - use the 1.0.1 stable git branch > - asking your openssl package maintainer to backport the fix (its security > relevant, see CVE-2010-5298 [3]) > > The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the > patch soon, also see [5] and [6]. > > > Oh, cool, that's good news that it's upstream then. Getting the patch to apply is a piece of cake. I was more worried about what would happen for the next libssl update. Hopefully Ubuntu will pick that update up. Thanks!
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
