SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

Lukas Tribus luky-37 at hotmail.com
Thu Dec 18 08:34:43 UTC 2014


Hi Piotr,


> Hey Lukas,
>
>> /* initial handshake done, disable renegotiation (CVE-2009-3555) */
>> +#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
>> if (c->ssl->connection->s3) {
>> c->ssl->connection->s3->flags |=
>> SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
>> }
>> +#endif
>
> #ifdef should be above the comment.
>
> I also think that this change needs a bit more work, since
> renegotiation changes are all over the place in nginx. I've started
> looking into this earlier this month, but got busy with other stuff.

Ok, I will leave it to you then. This was just a fast fix to allow the build
with boringssl again, but if more work is required then I better let
you handle it, as I'm not not familiar with the code.


Thanks,

Lukas

 		 	   		  


More information about the nginx-devel mailing list