[nginx] SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin
mdounin at mdounin.ru
Sun Mar 3 14:27:06 UTC 2019
details: https://hg.nginx.org/nginx/rev/3f1db95d758a
branches:
changeset: 7474:3f1db95d758a
user: Maxim Dounin <mdounin at mdounin.ru>
date: Sun Mar 03 16:49:02 2019 +0300
description:
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1.
Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated
renegotiation, and hence can be safely used on all SSL contexts.
diffstat:
src/event/ngx_event_openssl.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diffs (14 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -368,6 +368,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
#endif
+#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
More information about the nginx-devel
mailing list