Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks

compatibility with some sites

This change comes from 8.15 but is being backported to FreeBSD releases
not yet using 8.15.

MFC after:	3 days
Noted by:	julian@
This commit is contained in:
gshapiro 2015-03-16 20:24:37 +00:00
parent 55b7ea0246
commit 8afab6ffc3

View File

@ -124,6 +124,11 @@ readcf(cfname, safe, e)
| SSL_OP_NO_TICKET
#endif
;
# ifdef SSL_OP_TLSEXT_PADDING
/* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
# endif /* SSL_OP_TLSEXT_PADDING */
#endif /* STARTTLS */
if (DontLockReadFiles)
sff |= SFF_NOLOCK;
@ -2405,6 +2410,9 @@ static struct ssl_options
#endif
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
#endif
#ifdef SSL_OP_TLSEXT_PADDING
{ "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
#endif
{ NULL, 0 }
};