Commit 61cec6f01bb9d76d617ca13531e5178199e2fe93 - nginx

SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is defined, it is OpenSSL library responsibility to prevent renegotiation, so the checks are meaningless. Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START at various unexpected moments - notably, on KeyUpdate messages and when sending tickets. This change prevents unexpected connection close on KeyUpdate messages and when finishing handshake with upcoming early data changes. Maxim Dounin 3 years ago

1 changed file(s) with 10 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all

+10

-0

src/event/ngx_event_openssl.c less more

842	842	BIO rbio, wbio;
843	843	ngx_connection_t *c;
844	844
	845	#ifndef SSL_OP_NO_RENEGOTIATION
	846
845	847	if ((where & SSL_CB_HANDSHAKE_START)
846	848	&& SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
847	849	{

852	854	ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
853	855	}
854	856	}
	857
	858	#endif
855	859
856	860	if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
857	861	c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);

1390	1394	c->recv_chain = ngx_ssl_recv_chain;
1391	1395	c->send_chain = ngx_ssl_send_chain;
1392	1396
	1397	#ifndef SSL_OP_NO_RENEGOTIATION
1393	1398	#if OPENSSL_VERSION_NUMBER < 0x10100000L
1394	1399	#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
1395	1400

1398	1403	c->ssl->connection->s3->flags \|= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
1399	1404	}
1400	1405
	1406	#endif
1401	1407	#endif
1402	1408	#endif
1403	1409

1626	1632	{
1627	1633	int sslerr;
1628	1634	ngx_err_t err;
	1635
	1636	#ifndef SSL_OP_NO_RENEGOTIATION
1629	1637
1630	1638	if (c->ssl->renegotiation) {
1631	1639	/*

1648	1656
1649	1657	return NGX_ERROR;
1650	1658	}
	1659
	1660	#endif
1651	1661
1652	1662	if (n > 0) {
1653	1663