# HG changeset patch # User Sergey Kandaurov # Date 1493813756 -10800 # Node ID eb5d119323d8cfae94aa01367935e6f9324a623e # Parent f38647c651a8d5c884b5aacc9f9a5b1af196309b SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0. In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode, but when using OpenSSL 1.0.2 or older versions it was additionally disabled by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1300,7 +1300,7 @@ ngx_ssl_handshake(ngx_connection_t *c) #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS /* initial handshake done, disable renegotiation (CVE-2009-3555) */ - if (c->ssl->connection->s3) { + if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; }