SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

Lukas Tribus Wed, 17 Dec 2014 06:21:38 -0800

# HG changeset patch
# User Lukas Tribus <luky...@hotmail.com>
# Date 1418825570 -3600
#      Wed Dec 17 15:12:50 2014 +0100
# Node ID 923f5d7061b6df59fb1d28c70379da8b9daf1c8c
# Parent  a23c35496c2fc0ba9a34d968c2ca6d1f9374f8a8
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS


OpenSSL or its forks may remove this flag (BoringSSL did), as the
renegotiation issue was fixed in OpenSSL.

diff -r a23c35496c2f -r 923f5d7061b6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    Mon Mar 24 17:55:10 2014 +0400
+++ b/src/event/ngx_event_openssl.c    Wed Dec 17 15:12:50 2014 +0100
@@ -851,9 +851,11 @@
         c->send_chain = ngx_ssl_send_chain;

/* initial handshake done, disable renegotiation(CVE-2009-3555) */

+#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
         if (c->ssl->connection->s3) {

c->ssl->connection->s3->flags |=SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;

         }
+#endif

         return NGX_OK;
     }

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

Reply via email to