SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

Piotr Sikora piotr at cloudflare.com
Wed Dec 17 23:01:28 UTC 2014


Hey Lukas,

>          /* initial handshake done, disable renegotiation (CVE-2009-3555) */
> +#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
>          if (c->ssl->connection->s3) {
>              c->ssl->connection->s3->flags |=
> SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
>          }
> +#endif

#ifdef should be above the comment.

I also think that this change needs a bit more work, since
renegotiation changes are all over the place in nginx. I've started
looking into this earlier this month, but got busy with other stuff.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list