[nginx] SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov
pluknet at nginx.com
Thu May 4 09:34:23 UTC 2017
details: http://hg.nginx.org/nginx/rev/eb5d119323d8
branches:
changeset: 6995:eb5d119323d8
user: Sergey Kandaurov <pluknet at nginx.com>
date: Wed May 03 15:15:56 2017 +0300
description:
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode,
but when using OpenSSL 1.0.2 or older versions it was additionally disabled
by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
diffstat:
src/event/ngx_event_openssl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r f38647c651a8 -r eb5d119323d8 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Apr 27 16:57:18 2017 +0300
+++ b/src/event/ngx_event_openssl.c Wed May 03 15:15:56 2017 +0300
@@ -1300,7 +1300,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
/* initial handshake done, disable renegotiation (CVE-2009-3555) */
- if (c->ssl->connection->s3) {
+ if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
More information about the nginx-devel
mailing list