Maxim Dounin mdounin at
Thu Dec 18 16:07:58 UTC 2014


On Wed, Dec 17, 2014 at 03:01:28PM -0800, Piotr Sikora wrote:

> Hey Lukas,
> >          /* initial handshake done, disable renegotiation (CVE-2009-3555) */
> >          if (c->ssl->connection->s3) {
> >              c->ssl->connection->s3->flags |=
> >          }
> > +#endif
> #ifdef should be above the comment.
> I also think that this change needs a bit more work, since
> renegotiation changes are all over the place in nginx. I've started
> looking into this earlier this month, but got busy with other stuff.

There isn't that many renegotiation changes: nginx disables 
renegotiation, nothing more.

Unfortunately, even after a number of renegotiation-related 
vulnerabilities OpenSSL (and derivatives) doesn't provide an easy 
way to do this.

So we do the following:

1. Detect a renegotiation via info callback, and drop the 
   connection later if it was detected.

2. After a handshake, we the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 
   flag is set to disable renegotiation within OpenSSL.

Initial commit is at
(and some more details can be found in Russian mailing list,

As far as I can see, BoringSSL removed 
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS without introducing any 
replacement.  That's a bit sad as this opens a door for various 
attacks, but probably we can live with it, at least when compiled 
with BoringSSL.

Maxim Dounin

More information about the nginx-devel mailing list