src: Disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

2015-06-22 23:26:45 +09:00 · 2015-06-22 23:26:45 +09:00 · 301df2a856
parent f3b7f4140b
commit 301df2a856
5 changed files with 40 additions and 30 deletions
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@ -1768,12 +1768,13 @@ int HttpServer::run() {
      return -1;
    }

-    SSL_CTX_set_options(ssl_ctx,
-                        SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                            SSL_OP_NO_COMPRESSION |
-                            SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
-                            SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET |
-                            SSL_OP_CIPHER_SERVER_PREFERENCE);
+    auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+                    SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET |
+                    SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+    SSL_CTX_set_options(ssl_ctx, ssl_opts);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);

--- a/src/asio_server_tls_context.cc
+++ b/src/asio_server_tls_context.cc
@ -49,11 +49,13 @@ configure_tls_context_easy(boost::system::error_code &ec,

  auto ctx = tls_context.native_handle();

-  SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                               SSL_OP_NO_COMPRESSION |
-                               SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
-                               SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET |
-                               SSL_OP_CIPHER_SERVER_PREFERENCE);
+  auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                  SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+                  SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET |
+                  SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+  SSL_CTX_set_options(ctx, ssl_opts);
  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);

--- a/src/h2load.cc
+++ b/src/h2load.cc
@ -1277,10 +1277,11 @@ int main(int argc, char **argv) {
    exit(EXIT_FAILURE);
  }

-  SSL_CTX_set_options(ssl_ctx,
-                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                          SSL_OP_NO_COMPRESSION |
-                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+  auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                  SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+
+  SSL_CTX_set_options(ssl_ctx, ssl_opts);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);

--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@ -2005,10 +2005,12 @@ int communicate(
      result = -1;
      goto fin;
    }
-    SSL_CTX_set_options(ssl_ctx,
-                        SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                            SSL_OP_NO_COMPRESSION |
-                            SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+
+    auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+
+    SSL_CTX_set_options(ssl_ctx, ssl_opts);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
    if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) {
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -338,12 +338,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file,
    DIE();
  }

-  SSL_CTX_set_options(
-      ssl_ctx,
-      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
-          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
-          SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
-          SSL_OP_CIPHER_SERVER_PREFERENCE | get_config()->tls_proto_mask);
+  auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                  SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+                  SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
+                  SSL_OP_CIPHER_SERVER_PREFERENCE |
+                  get_config()->tls_proto_mask;
+
+  SSL_CTX_set_options(ssl_ctx, ssl_opts);

  const unsigned char sid_ctx[] = "shrpx";
  SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
@ -493,11 +495,13 @@ SSL_CTX *create_ssl_client_context() {
    LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
    DIE();
  }
-  SSL_CTX_set_options(ssl_ctx,
-                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                          SSL_OP_NO_COMPRESSION |
-                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
-                          get_config()->tls_proto_mask);
+
+  auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                  SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
+                  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+                  get_config()->tls_proto_mask;
+
+  SSL_CTX_set_options(ssl_ctx, ssl_opts);

  const char *ciphers;
  if (get_config()->ciphers) {