SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is defined, it is OpenSSL library responsibility to prevent renegotiation, so the checks are meaningless. Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START at various unexpected moments - notably, on KeyUpdate messages and when sending tickets. This change prevents unexpected connection close on KeyUpdate messages and when finishing handshake with upcoming early data changes.
This commit is contained in:
parent
8e8957c81a
commit
353f9d3054
1 changed files with 10 additions and 0 deletions
|
@ -843,6 +843,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
||||||
BIO *rbio, *wbio;
|
BIO *rbio, *wbio;
|
||||||
ngx_connection_t *c;
|
ngx_connection_t *c;
|
||||||
|
|
||||||
|
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||||
|
|
||||||
if ((where & SSL_CB_HANDSHAKE_START)
|
if ((where & SSL_CB_HANDSHAKE_START)
|
||||||
&& SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
|
&& SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
|
||||||
{
|
{
|
||||||
|
@ -854,6 +856,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
|
if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
|
||||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||||
|
|
||||||
|
@ -1391,6 +1395,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
||||||
c->recv_chain = ngx_ssl_recv_chain;
|
c->recv_chain = ngx_ssl_recv_chain;
|
||||||
c->send_chain = ngx_ssl_send_chain;
|
c->send_chain = ngx_ssl_send_chain;
|
||||||
|
|
||||||
|
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
||||||
|
|
||||||
|
@ -1399,6 +1404,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
||||||
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -1628,6 +1634,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
|
||||||
int sslerr;
|
int sslerr;
|
||||||
ngx_err_t err;
|
ngx_err_t err;
|
||||||
|
|
||||||
|
#ifndef SSL_OP_NO_RENEGOTIATION
|
||||||
|
|
||||||
if (c->ssl->renegotiation) {
|
if (c->ssl->renegotiation) {
|
||||||
/*
|
/*
|
||||||
* disable renegotiation (CVE-2009-3555):
|
* disable renegotiation (CVE-2009-3555):
|
||||||
|
@ -1650,6 +1658,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
if (n > 0) {
|
if (n > 0) {
|
||||||
|
|
||||||
if (c->ssl->saved_write_handler) {
|
if (c->ssl->saved_write_handler) {
|
||||||
|
|
Loading…
Reference in a new issue