SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
Piotr Sikora
piotr at cloudflare.com
Wed Dec 17 23:01:28 UTC 2014
Hey Lukas,
> /* initial handshake done, disable renegotiation (CVE-2009-3555) */
> +#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
> if (c->ssl->connection->s3) {
> c->ssl->connection->s3->flags |=
> SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
> }
> +#endif
#ifdef should be above the comment.
I also think that this change needs a bit more work, since
renegotiation changes are all over the place in nginx. I've started
looking into this earlier this month, but got busy with other stuff.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list