mirror of
https://github.com/nginx/nginx.git
synced 2024-12-18 21:23:36 -06:00
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is defined, it is OpenSSL library responsibility to prevent renegotiation, so the checks are meaningless. Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START at various unexpected moments - notably, on KeyUpdate messages and when sending tickets. This change prevents unexpected connection close on KeyUpdate messages and when finishing handshake with upcoming early data changes.
This commit is contained in:
parent
a834b8aa09
commit
61cec6f01b
@ -843,6 +843,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
||||
BIO *rbio, *wbio;
|
||||
ngx_connection_t *c;
|
||||
|
||||
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||
|
||||
if ((where & SSL_CB_HANDSHAKE_START)
|
||||
&& SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
|
||||
{
|
||||
@ -854,6 +856,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
|
||||
@ -1391,6 +1395,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
||||
c->recv_chain = ngx_ssl_recv_chain;
|
||||
c->send_chain = ngx_ssl_send_chain;
|
||||
|
||||
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
||||
|
||||
@ -1399,6 +1404,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
||||
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
||||
}
|
||||
|
||||
#endif
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@ -1628,6 +1634,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
|
||||
int sslerr;
|
||||
ngx_err_t err;
|
||||
|
||||
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||
|
||||
if (c->ssl->renegotiation) {
|
||||
/*
|
||||
* disable renegotiation (CVE-2009-3555):
|
||||
@ -1650,6 +1658,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
if (n > 0) {
|
||||
|
||||
if (c->ssl->saved_write_handler) {
|
||||
|
Loading…
Reference in New Issue
Block a user