Nginx and CVE-2010-3864

Dobai-Pataky_BSSSSl · November 17, 2010, 8:33pm

I think I know the answer to this but since the consequences of
misguessing are somewhat dire, I figured I’d better ask.

For the advisory,

http://www.openssl.org/news/secadv_20101116.txt

are we nginx users safe if we’re using one of the affected versions
(and rechecking security.debian.org every 10 minutes) but only ever
use:

ssl_session_cache shared:sslache:…

i.e. not: ssl_session_cache builtin:…

?

From the wording of the advisory, it sounds like ‘shared’ bypasses
the affected internal caching, but I wanted to be extra cautious.
Clearly the right fix is to get openssl upgraded but until Debian gets
their update out, it’d be good to know that nginx is not affected (at
least with ssl_session_cache shared:…). Thanks!

mark · November 18, 2010, 1:13am

Hello!

On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark M. wrote:

least with ssl_session_cache shared:…). Thanks!
nginx should be fine even if openssl’s builtin session cache is
used.

Both vulnerability information and code suggests that issue only
affects multi-threaded programs (due to multiple threads changing
the same session at the same time). nginx isn’t multi-threaded
and the race in question isn’t possible.

Maxim D.

mark · November 18, 2010, 1:53am

On Wed, Nov 17, 2010 at 4:12 PM, Maxim D. [email protected]
wrote:

From the wording of the advisory, it sounds like ‘shared’ bypasses
the same session at the same time). nginx isn’t multi-threaded
and the race in question isn’t possible.

Maxim D.

nginx mailing list
[email protected]
nginx Info Page

Excellent, thanks for the info. I’d forgotten nginx was event-based,
not threaded. That is a relief