Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7356:e3ba4026c02d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is defined, it is OpenSSL library responsibility to prevent renegotiation, so the checks are meaningless. Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START at various unexpected moments - notably, on KeyUpdate messages and when sending tickets. This change prevents unexpected connection close on KeyUpdate messages and when finishing handshake with upcoming early data changes.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 21 Sep 2018 20:31:32 +0300
parents 87d2ea860f38
children 548a63b354a2
comparison
equal deleted inserted replaced
7355:b64adc956643 7356:e3ba4026c02d
841 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) 841 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
842 { 842 {
843 BIO *rbio, *wbio; 843 BIO *rbio, *wbio;
844 ngx_connection_t *c; 844 ngx_connection_t *c;
845 845
846 #ifndef SSL_OP_NO_RENEGOTIATION
847
846 if ((where & SSL_CB_HANDSHAKE_START) 848 if ((where & SSL_CB_HANDSHAKE_START)
847 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) 849 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
848 { 850 {
849 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 851 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
850 852
851 if (c->ssl->handshaked) { 853 if (c->ssl->handshaked) {
852 c->ssl->renegotiation = 1; 854 c->ssl->renegotiation = 1;
853 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); 855 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
854 } 856 }
855 } 857 }
858
859 #endif
856 860
857 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { 861 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
858 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 862 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
859 863
860 if (!c->ssl->handshake_buffer_set) { 864 if (!c->ssl->handshake_buffer_set) {
1389 c->recv = ngx_ssl_recv; 1393 c->recv = ngx_ssl_recv;
1390 c->send = ngx_ssl_write; 1394 c->send = ngx_ssl_write;
1391 c->recv_chain = ngx_ssl_recv_chain; 1395 c->recv_chain = ngx_ssl_recv_chain;
1392 c->send_chain = ngx_ssl_send_chain; 1396 c->send_chain = ngx_ssl_send_chain;
1393 1397
1398 #ifndef SSL_OP_NO_RENEGOTIATION
1394 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1399 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1395 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 1400 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
1396 1401
1397 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ 1402 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
1398 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { 1403 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
1399 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; 1404 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
1400 } 1405 }
1401 1406
1407 #endif
1402 #endif 1408 #endif
1403 #endif 1409 #endif
1404 1410
1405 return NGX_OK; 1411 return NGX_OK;
1406 } 1412 }
1625 static ngx_int_t 1631 static ngx_int_t
1626 ngx_ssl_handle_recv(ngx_connection_t *c, int n) 1632 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
1627 { 1633 {
1628 int sslerr; 1634 int sslerr;
1629 ngx_err_t err; 1635 ngx_err_t err;
1636
1637 #ifndef SSL_OP_NO_RENEGOTIATION
1630 1638
1631 if (c->ssl->renegotiation) { 1639 if (c->ssl->renegotiation) {
1632 /* 1640 /*
1633 * disable renegotiation (CVE-2009-3555): 1641 * disable renegotiation (CVE-2009-3555):
1634 * OpenSSL (at least up to 0.9.8l) does not handle disabled 1642 * OpenSSL (at least up to 0.9.8l) does not handle disabled
1647 c->ssl->no_wait_shutdown = 1; 1655 c->ssl->no_wait_shutdown = 1;
1648 c->ssl->no_send_shutdown = 1; 1656 c->ssl->no_send_shutdown = 1;
1649 1657
1650 return NGX_ERROR; 1658 return NGX_ERROR;
1651 } 1659 }
1660
1661 #endif
1652 1662
1653 if (n > 0) { 1663 if (n > 0) {
1654 1664
1655 if (c->ssl->saved_write_handler) { 1665 if (c->ssl->saved_write_handler) {
1656 1666