SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

Lukas Tribus luky-37 at hotmail.com
Wed Dec 17 14:20:37 UTC 2014


# HG changeset patch
# User Lukas Tribus <luky-37 at hotmail.com>
# Date 1418825570 -3600
#      Wed Dec 17 15:12:50 2014 +0100
# Node ID 923f5d7061b6df59fb1d28c70379da8b9daf1c8c
# Parent  a23c35496c2fc0ba9a34d968c2ca6d1f9374f8a8
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

OpenSSL or its forks may remove this flag (BoringSSL did), as the
renegotiation issue was fixed in OpenSSL.

diff -r a23c35496c2f -r 923f5d7061b6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    Mon Mar 24 17:55:10 2014 +0400
+++ b/src/event/ngx_event_openssl.c    Wed Dec 17 15:12:50 2014 +0100
@@ -851,9 +851,11 @@
          c->send_chain = ngx_ssl_send_chain;

          /* initial handshake done, disable renegotiation 
(CVE-2009-3555) */
+#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
          if (c->ssl->connection->s3) {
              c->ssl->connection->s3->flags |= 
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
          }
+#endif

          return NGX_OK;
      }



More information about the nginx-devel mailing list