Klaus Demo nginx / 61cec6f
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is defined, it is OpenSSL library responsibility to prevent renegotiation, so the checks are meaningless. Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START at various unexpected moments - notably, on KeyUpdate messages and when sending tickets. This change prevents unexpected connection close on KeyUpdate messages and when finishing handshake with upcoming early data changes. Maxim Dounin 3 years ago
1 changed file(s) with 10 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
842842 BIO *rbio, *wbio;
843843 ngx_connection_t *c;
844844
845 #ifndef SSL_OP_NO_RENEGOTIATION
846
845847 if ((where & SSL_CB_HANDSHAKE_START)
846848 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
847849 {
852854 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
853855 }
854856 }
857
858 #endif
855859
856860 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
857861 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
13901394 c->recv_chain = ngx_ssl_recv_chain;
13911395 c->send_chain = ngx_ssl_send_chain;
13921396
1397 #ifndef SSL_OP_NO_RENEGOTIATION
13931398 #if OPENSSL_VERSION_NUMBER < 0x10100000L
13941399 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
13951400
13981403 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
13991404 }
14001405
1406 #endif
14011407 #endif
14021408 #endif
14031409
16261632 {
16271633 int sslerr;
16281634 ngx_err_t err;
1635
1636 #ifndef SSL_OP_NO_RENEGOTIATION
16291637
16301638 if (c->ssl->renegotiation) {
16311639 /*
16481656
16491657 return NGX_ERROR;
16501658 }
1659
1660 #endif
16511661
16521662 if (n > 0) {
16531663