Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks

compatibility with some sites

This change comes from 8.15 but is being backported to FreeBSD releases
not yet using 8.15.

MFC after:	3 days
Noted by:	julian@
This commit is contained in:
Gregory Neil Shapiro 2015-03-16 20:24:37 +00:00
parent cb5c792950
commit 0232255f90

View File

@ -124,6 +124,11 @@ readcf(cfname, safe, e)
| SSL_OP_NO_TICKET | SSL_OP_NO_TICKET
#endif #endif
; ;
# ifdef SSL_OP_TLSEXT_PADDING
/* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
# endif /* SSL_OP_TLSEXT_PADDING */
#endif /* STARTTLS */ #endif /* STARTTLS */
if (DontLockReadFiles) if (DontLockReadFiles)
sff |= SFF_NOLOCK; sff |= SFF_NOLOCK;
@ -2405,6 +2410,9 @@ static struct ssl_options
#endif #endif
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG }, { "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
#endif
#ifdef SSL_OP_TLSEXT_PADDING
{ "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
#endif #endif
{ NULL, 0 } { NULL, 0 }
}; };