Klaus Demo nginx / 0da8343
r3301 merge: disable SSL renegotiation (CVE-2009-3555) Igor Sysoev 9 years ago
2 changed file(s) with 41 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
1414
1515
1616 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
17 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
18 int ret);
1719 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
1820 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
1921 static void ngx_ssl_write_handler(ngx_event_t *wev);
174176
175177 SSL_CTX_set_read_ahead(ssl->ctx, 1);
176178
179 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
180
177181 return NGX_OK;
178182 }
179183
346350 #endif
347351
348352 return 1;
353 }
354
355
356 static void
357 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
358 {
359 ngx_connection_t *c;
360
361 if (where & SSL_CB_HANDSHAKE_START) {
362 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
363
364 if (c->ssl->handshaked) {
365 c->ssl->renegotiation = 1;
366 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
367 }
368 }
349369 }
350370
351371
586606 c->recv_chain = ngx_ssl_recv_chain;
587607 c->send_chain = ngx_ssl_send_chain;
588608
609 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
610 if (c->ssl->connection->s3) {
611 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
612 }
613
589614 return NGX_OK;
590615 }
591616
787812 {
788813 int sslerr;
789814 ngx_err_t err;
815
816 if (c->ssl->renegotiation) {
817 /*
818 * disable renegotiation (CVE-2009-3555):
819 * OpenSSL (at least up to 0.9.8l) does not handle disabled
820 * renegotiation gracefully, so drop connection here
821 */
822
823 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
824
825 c->ssl->no_wait_shutdown = 1;
826 c->ssl->no_send_shutdown = 1;
827
828 return NGX_ERROR;
829 }
790830
791831 if (n > 0) {
792832
4040 ngx_event_handler_pt saved_write_handler;
4141
4242 unsigned handshaked:1;
43 unsigned renegotiation:1;
4344 unsigned buffer:1;
4445 unsigned no_wait_shutdown:1;
4546 unsigned no_send_shutdown:1;