From 301df2a856ba1fe984f9cb59e750bc828fd88463 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 22 Jun 2015 23:26:45 +0900 Subject: [PATCH] src: Disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS --- src/HttpServer.cc | 13 +++++++------ src/asio_server_tls_context.cc | 12 +++++++----- src/h2load.cc | 9 +++++---- src/nghttp.cc | 10 ++++++---- src/shrpx_ssl.cc | 26 +++++++++++++++----------- 5 files changed, 40 insertions(+), 30 deletions(-) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index f14dfe02..fc799962 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -1768,12 +1768,13 @@ int HttpServer::run() { return -1; } - SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | - SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | - SSL_OP_CIPHER_SERVER_PREFERENCE); + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | + SSL_OP_CIPHER_SERVER_PREFERENCE; + + SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); diff --git a/src/asio_server_tls_context.cc b/src/asio_server_tls_context.cc index 11336c98..291d88af 100644 --- a/src/asio_server_tls_context.cc +++ b/src/asio_server_tls_context.cc @@ -49,11 +49,13 @@ configure_tls_context_easy(boost::system::error_code &ec, auto ctx = tls_context.native_handle(); - SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | - SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | - SSL_OP_CIPHER_SERVER_PREFERENCE); + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | + SSL_OP_CIPHER_SERVER_PREFERENCE; + + SSL_CTX_set_options(ctx, ssl_opts); SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); diff --git a/src/h2load.cc b/src/h2load.cc index 28e138ed..06571047 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1277,10 +1277,11 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } - SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; + + SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); diff --git a/src/nghttp.cc b/src/nghttp.cc index 696b8b51..3ca9d4eb 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -2005,10 +2005,12 @@ int communicate( result = -1; goto fin; } - SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); + + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; + + SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) { diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index d9f5bb06..1c04fe6c 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -338,12 +338,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, DIE(); } - SSL_CTX_set_options( - ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | - SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | - SSL_OP_CIPHER_SERVER_PREFERENCE | get_config()->tls_proto_mask); + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | + SSL_OP_CIPHER_SERVER_PREFERENCE | + get_config()->tls_proto_mask; + + SSL_CTX_set_options(ssl_ctx, ssl_opts); const unsigned char sid_ctx[] = "shrpx"; SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1); @@ -493,11 +495,13 @@ SSL_CTX *create_ssl_client_context() { LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr); DIE(); } - SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | - get_config()->tls_proto_mask); + + auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + get_config()->tls_proto_mask; + + SSL_CTX_set_options(ssl_ctx, ssl_opts); const char *ciphers; if (get_config()->ciphers) {