Mercurial > hg > nginx
changeset 7356:e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is
defined, it is OpenSSL library responsibility to prevent renegotiation,
so the checks are meaningless.
Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START
at various unexpected moments - notably, on KeyUpdate messages and
when sending tickets. This change prevents unexpected connection
close on KeyUpdate messages and when finishing handshake with upcoming
early data changes.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 21 Sep 2018 20:31:32 +0300 |
| parents | b64adc956643 |
| children | 548a63b354a2 |
| files | src/event/ngx_event_openssl.c |
| diffstat | 1 files changed, 10 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -843,6 +843,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn BIO *rbio, *wbio; ngx_connection_t *c; +#ifndef SSL_OP_NO_RENEGOTIATION + if ((where & SSL_CB_HANDSHAKE_START) && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) { @@ -854,6 +856,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn } } +#endif + if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); @@ -1391,6 +1395,7 @@ ngx_ssl_handshake(ngx_connection_t *c) c->recv_chain = ngx_ssl_recv_chain; c->send_chain = ngx_ssl_send_chain; +#ifndef SSL_OP_NO_RENEGOTIATION #if OPENSSL_VERSION_NUMBER < 0x10100000L #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS @@ -1401,6 +1406,7 @@ ngx_ssl_handshake(ngx_connection_t *c) #endif #endif +#endif return NGX_OK; } @@ -1628,6 +1634,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int sslerr; ngx_err_t err; +#ifndef SSL_OP_NO_RENEGOTIATION + if (c->ssl->renegotiation) { /* * disable renegotiation (CVE-2009-3555): @@ -1650,6 +1658,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, return NGX_ERROR; } +#endif + if (n > 0) { if (c->ssl->saved_write_handler) {