On 9/9/2014 4:47 AM, Maxim Dounin wrote:
What make you think that there are any vulnerabilities? As far as
I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
compilation with) is still commercially supported as a part of at
least one OS, and will be supported till 2017.
Even if there are, SSL isn't the only reason to compile nginx with
OpenSSL. Some just need MD5/SHA1 from OpenSSL for various uses
within nginx itself, and some just use a single packet for
everything - and any version of OpenSSL will do as long as it
compiles, as SSL isn't used at all.
I didn't think of situations in which no SSL/TLS is in use and of course
the usage of old versions isn't an issue as long as they are secure (the
performance argument is nullified because no SSL/TLS is in use).
And that's another part of the problem: if they won't be able to
update nginx, they won't update it. And that's not we want to
happen - instead, we want them to update nginx even if they stick
to some old libraries for some reason. And make this as painless
as possible.
Of course this policy makes sense. But sometimes it would be a very good
idea to stop supporting some technologies, e.g. SSLv2. Simply to help
the web evolve and get rid of old insecure technologies. Nginx is now
playing a leading role and can dictate or help in such matters. Even if
that means that some pain in upgrades in introduced.
I think you overestimate positive impact of not supporting old OpenSSL
versions, and underestimate negative impact of this.
Seems so, but if maintenance is getting more complicated with supporting
multiple forks it might become necessary. Or maybe it might be necessary
to reduce the amount of supported forks. Although I don't think that
this is a good idea because the forks seem to be introducing a lot of
interesting stuff in the future. I'm especially looking at BoringSSL and
the reduction of memory consumption per connection that Google was
talking about that they might bring to the library.
Richard
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
