[nginx] SSL: disabled renegotiation checks with LibreSSL.

Sergey Kandaurov pluknet at nginx.com
Mon Dec 25 18:52:03 UTC 2023 

details:   https://hg.nginx.org/nginx/rev/875cd36b8617
branches:  
changeset: 9199:875cd36b8617
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Mon Dec 25 21:15:47 2023 +0400
description:
SSL: disabled renegotiation checks with LibreSSL.

Similar to 7356:e3ba4026c02d, as long as SSL_OP_NO_CLIENT_RENEGOTIATION
is defined, it is the library responsibility to prevent renegotiation.

Additionally, this allows to raise LibreSSL version used to redefine
OPENSSL_VERSION_NUMBER to 0x1010000fL, such that this won't result in
attempts to dereference SSL objects made opaque in LibreSSL 3.4.0.

Patch by Maxim Dounin.

diffstat:

 src/event/ngx_event_openssl.c |  15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

diffs (46 lines):

diff -r 514c518b9d6c -r 875cd36b8617 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Sat Dec 09 08:38:14 2023 +0000
+++ b/src/event/ngx_event_openssl.c	Mon Dec 25 21:15:47 2023 +0400
@@ -1105,7 +1105,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn
     BIO               *rbio, *wbio;
     ngx_connection_t  *c;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
 
     if ((where & SSL_CB_HANDSHAKE_START)
         && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
@@ -1838,9 +1839,10 @@ ngx_ssl_handshake(ngx_connection_t *c)
         c->read->ready = 1;
         c->write->ready = 1;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION                               \
+     && defined SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS                             \
+     && OPENSSL_VERSION_NUMBER < 0x10100000L)
 
         /* initial handshake done, disable renegotiation (CVE-2009-3555) */
         if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
@@ -1848,8 +1850,6 @@ ngx_ssl_handshake(ngx_connection_t *c)
         }
 
 #endif
-#endif
-#endif
 
 #if (defined BIO_get_ktls_send && !NGX_WIN32)
 
@@ -2483,7 +2483,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c,
     int        sslerr;
     ngx_err_t  err;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
 
     if (c->ssl->renegotiation) {
         /*

More information about the nginx-devel mailing list