SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 18 16:07:58 UTC 2014
Hello!
On Wed, Dec 17, 2014 at 03:01:28PM -0800, Piotr Sikora wrote:
> Hey Lukas,
>
> > /* initial handshake done, disable renegotiation (CVE-2009-3555) */
> > +#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
> > if (c->ssl->connection->s3) {
> > c->ssl->connection->s3->flags |=
> > SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
> > }
> > +#endif
>
> #ifdef should be above the comment.
>
> I also think that this change needs a bit more work, since
> renegotiation changes are all over the place in nginx. I've started
> looking into this earlier this month, but got busy with other stuff.
There isn't that many renegotiation changes: nginx disables
renegotiation, nothing more.
Unfortunately, even after a number of renegotiation-related
vulnerabilities OpenSSL (and derivatives) doesn't provide an easy
way to do this.
So we do the following:
1. Detect a renegotiation via info callback, and drop the
connection later if it was detected.
2. After a handshake, we the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
flag is set to disable renegotiation within OpenSSL.
Initial commit is at http://hg.nginx.org/nginx/rev/5a08dfb8d763
(and some more details can be found in Russian mailing list,
http://nginx.org/pipermail/nginx-ru/2009-November/029439.html).
As far as I can see, BoringSSL removed
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS without introducing any
replacement. That's a bit sad as this opens a door for various
attacks, but probably we can live with it, at least when compiled
with BoringSSL.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list