Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7356:e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is
defined, it is OpenSSL library responsibility to prevent renegotiation,
so the checks are meaningless.
Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START
at various unexpected moments - notably, on KeyUpdate messages and
when sending tickets. This change prevents unexpected connection
close on KeyUpdate messages and when finishing handshake with upcoming
early data changes.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 21 Sep 2018 20:31:32 +0300 |
parents | 87d2ea860f38 |
children | 548a63b354a2 |
comparison
equal
deleted
inserted
replaced
7355:b64adc956643 | 7356:e3ba4026c02d |
---|---|
841 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) | 841 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
842 { | 842 { |
843 BIO *rbio, *wbio; | 843 BIO *rbio, *wbio; |
844 ngx_connection_t *c; | 844 ngx_connection_t *c; |
845 | 845 |
846 #ifndef SSL_OP_NO_RENEGOTIATION | |
847 | |
846 if ((where & SSL_CB_HANDSHAKE_START) | 848 if ((where & SSL_CB_HANDSHAKE_START) |
847 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) | 849 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
848 { | 850 { |
849 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 851 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
850 | 852 |
851 if (c->ssl->handshaked) { | 853 if (c->ssl->handshaked) { |
852 c->ssl->renegotiation = 1; | 854 c->ssl->renegotiation = 1; |
853 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); | 855 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
854 } | 856 } |
855 } | 857 } |
858 | |
859 #endif | |
856 | 860 |
857 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { | 861 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
858 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 862 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
859 | 863 |
860 if (!c->ssl->handshake_buffer_set) { | 864 if (!c->ssl->handshake_buffer_set) { |
1389 c->recv = ngx_ssl_recv; | 1393 c->recv = ngx_ssl_recv; |
1390 c->send = ngx_ssl_write; | 1394 c->send = ngx_ssl_write; |
1391 c->recv_chain = ngx_ssl_recv_chain; | 1395 c->recv_chain = ngx_ssl_recv_chain; |
1392 c->send_chain = ngx_ssl_send_chain; | 1396 c->send_chain = ngx_ssl_send_chain; |
1393 | 1397 |
1398 #ifndef SSL_OP_NO_RENEGOTIATION | |
1394 #if OPENSSL_VERSION_NUMBER < 0x10100000L | 1399 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
1395 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS | 1400 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
1396 | 1401 |
1397 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ | 1402 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
1398 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { | 1403 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
1399 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | 1404 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
1400 } | 1405 } |
1401 | 1406 |
1407 #endif | |
1402 #endif | 1408 #endif |
1403 #endif | 1409 #endif |
1404 | 1410 |
1405 return NGX_OK; | 1411 return NGX_OK; |
1406 } | 1412 } |
1625 static ngx_int_t | 1631 static ngx_int_t |
1626 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | 1632 ngx_ssl_handle_recv(ngx_connection_t *c, int n) |
1627 { | 1633 { |
1628 int sslerr; | 1634 int sslerr; |
1629 ngx_err_t err; | 1635 ngx_err_t err; |
1636 | |
1637 #ifndef SSL_OP_NO_RENEGOTIATION | |
1630 | 1638 |
1631 if (c->ssl->renegotiation) { | 1639 if (c->ssl->renegotiation) { |
1632 /* | 1640 /* |
1633 * disable renegotiation (CVE-2009-3555): | 1641 * disable renegotiation (CVE-2009-3555): |
1634 * OpenSSL (at least up to 0.9.8l) does not handle disabled | 1642 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
1647 c->ssl->no_wait_shutdown = 1; | 1655 c->ssl->no_wait_shutdown = 1; |
1648 c->ssl->no_send_shutdown = 1; | 1656 c->ssl->no_send_shutdown = 1; |
1649 | 1657 |
1650 return NGX_ERROR; | 1658 return NGX_ERROR; |
1651 } | 1659 } |
1660 | |
1661 #endif | |
1652 | 1662 |
1653 if (n > 0) { | 1663 if (n > 0) { |
1654 | 1664 |
1655 if (c->ssl->saved_write_handler) { | 1665 if (c->ssl->saved_write_handler) { |
1656 | 1666 |