On Sat, Oct 29, 2016 at 12:53:54PM +0200, Kurt Roeckx wrote: > On Sat, Oct 29, 2016 at 12:34:51PM +0300, Christos Trochalakis wrote: > > On Sat, Oct 29, 2016 at 11:29:12AM +0200, Kurt Roeckx wrote: > > > On Sat, Oct 29, 2016 at 11:04:33AM +0300, Christos Trochalakis wrote: > > > > > > > > I am not sure if the first lua patch is safe (regarding the > > > > "ssl_conn->tlsext_status_expected = 1;" removal). > > > > > > I'm not sure which patch you're talking about. I remember > > > something about something doing weird things with the state > > > machine for renegiotation that they never should have done, is > > > that that? > > > > > > > > > Kurt > > > > > > > I am talking about (src/ngx_http_lua_ssl_ocsp.c): > > https://github.com/openresty/lua-nginx-module/pull/761/files#diff-50267b7dd63c740bc5c1d29c7387e789L493 > > So I already commented on that before it seems, but I added a new > comment saying I think it's correct.
FTR, the Wikimedia Foundation started to use nginx 1.11 with openssl 1.1 and ran into this problem: https://github.com/openssl/openssl/issues/1799 The issue hasn't been diagnosed upstream, but this will likely also affect nginx once rebuilt against openssl 1.1. Cheers, Moritz
