]> git.kaiwu.me - nginx.git/commitdiff
projects / nginx.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a834b8a)
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
authorMaxim Dounin <mdounin@mdounin.ru>
Fri, 21 Sep 2018 17:31:32 +0000 (20:31 +0300)
committerMaxim Dounin <mdounin@mdounin.ru>
Fri, 21 Sep 2018 17:31:32 +0000 (20:31 +0300)
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is
defined, it is OpenSSL library responsibility to prevent renegotiation,
so the checks are meaningless.

Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START
at various unexpected moments - notably, on KeyUpdate messages and
when sending tickets.  This change prevents unexpected connection
close on KeyUpdate messages and when finishing handshake with upcoming
early data changes.

src/event/ngx_event_openssl.c patch | blob | history

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index dead928063c6f88f5cbc47023227608c68b44a3a..78906081bca6d7a153ac8ebe79acef4ff6cdde4a 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -843,6 +843,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
     BIO               *rbio, *wbio;
     ngx_connection_t  *c;
 
+#ifndef SSL_OP_NO_RENEGOTIATION
+
     if ((where & SSL_CB_HANDSHAKE_START)
         && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
     {
@@ -854,6 +856,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
         }
     }
 
+#endif
+
     if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
         c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
 
@@ -1391,6 +1395,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
         c->recv_chain = ngx_ssl_recv_chain;
         c->send_chain = ngx_ssl_send_chain;
 
+#ifndef SSL_OP_NO_RENEGOTIATION
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
 
@@ -1399,6 +1404,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
             c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
         }
 
+#endif
 #endif
 #endif
 
@@ -1628,6 +1634,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
     int        sslerr;
     ngx_err_t  err;
 
+#ifndef SSL_OP_NO_RENEGOTIATION
+
     if (c->ssl->renegotiation) {
         /*
          * disable renegotiation (CVE-2009-3555):
@@ -1650,6 +1658,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
         return NGX_ERROR;
     }
 
+#endif
+
     if (n > 0) {
 
         if (c->ssl->saved_write_handler) {
nginx upstream