SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
Lukas Tribus
luky-37 at hotmail.com
Wed Dec 17 14:20:37 UTC 2014
# HG changeset patch
# User Lukas Tribus <luky-37 at hotmail.com>
# Date 1418825570 -3600
# Wed Dec 17 15:12:50 2014 +0100
# Node ID 923f5d7061b6df59fb1d28c70379da8b9daf1c8c
# Parent a23c35496c2fc0ba9a34d968c2ca6d1f9374f8a8
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
OpenSSL or its forks may remove this flag (BoringSSL did), as the
renegotiation issue was fixed in OpenSSL.
diff -r a23c35496c2f -r 923f5d7061b6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Mar 24 17:55:10 2014 +0400
+++ b/src/event/ngx_event_openssl.c Wed Dec 17 15:12:50 2014 +0100
@@ -851,9 +851,11 @@
c->send_chain = ngx_ssl_send_chain;
/* initial handshake done, disable renegotiation
(CVE-2009-3555) */
+#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
if (c->ssl->connection->s3) {
c->ssl->connection->s3->flags |=
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
+#endif
return NGX_OK;
}
More information about the nginx-devel
mailing list