diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-09-21 20:31:32 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-09-21 20:31:32 +0300 |
| commit | 61cec6f01bb9d76d617ca13531e5178199e2fe93 (patch) | |
| tree | 03abf3784e0ab0b0c2b220a73e6bc3e7e0b43d4b /src | |
| parent | a834b8aa09205922bf11c005b3c737b267be12bb (diff) | |
| download | nginx-61cec6f01bb9d76d617ca13531e5178199e2fe93.tar.gz nginx-61cec6f01bb9d76d617ca13531e5178199e2fe93.zip | |
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is
defined, it is OpenSSL library responsibility to prevent renegotiation,
so the checks are meaningless.
Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START
at various unexpected moments - notably, on KeyUpdate messages and
when sending tickets. This change prevents unexpected connection
close on KeyUpdate messages and when finishing handshake with upcoming
early data changes.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index dead92806..78906081b 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -843,6 +843,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) BIO *rbio, *wbio; ngx_connection_t *c; +#ifndef SSL_OP_NO_RENEGOTIATION + if ((where & SSL_CB_HANDSHAKE_START) && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) { @@ -854,6 +856,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) } } +#endif + if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); @@ -1391,6 +1395,7 @@ ngx_ssl_handshake(ngx_connection_t *c) c->recv_chain = ngx_ssl_recv_chain; c->send_chain = ngx_ssl_send_chain; +#ifndef SSL_OP_NO_RENEGOTIATION #if OPENSSL_VERSION_NUMBER < 0x10100000L #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS @@ -1401,6 +1406,7 @@ ngx_ssl_handshake(ngx_connection_t *c) #endif #endif +#endif return NGX_OK; } @@ -1628,6 +1634,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) int sslerr; ngx_err_t err; +#ifndef SSL_OP_NO_RENEGOTIATION + if (c->ssl->renegotiation) { /* * disable renegotiation (CVE-2009-3555): @@ -1650,6 +1658,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) return NGX_ERROR; } +#endif + if (n > 0) { if (c->ssl->saved_write_handler) { |