Browse Source

[ssl] accept ssl renegotiations if they are not disabled (fixes #2491)

* don't fiddle with ssl internals
 * renegotiations should be safe with recent openssl versions,
   openssl itself should reject unsafe renegotiations

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2890 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.33
Stefan Bühler 8 years ago
parent
commit
6d4d2118c3
  1. 1
      NEWS
  2. 2
      src/connections.c
  3. 2
      src/network.c
  4. 4
      src/network_openssl.c

1
NEWS

@ -24,6 +24,7 @@ NEWS
* [ssl] use DH only if openssl supports it (fixes #2479)
* [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
* [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
* [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
- 1.4.32 - 2012-11-21
* Code cleanup with clang/sparse (fixes #2437, thx kibi)

2
src/connections.c

@ -224,8 +224,8 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
len = SSL_read(con->ssl, b->ptr + read_offset, toread);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
connection_set_state(srv, con, CON_STATE_ERROR);
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
return -1;
}

2
src/network.c

@ -44,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) {
if (0 != (where & SSL_CB_HANDSHAKE_START)) {
connection *con = SSL_get_app_data(ssl);
++con->renegotiations;
} else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
}
#endif

4
src/network_openssl.c

@ -90,7 +90,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
r = SSL_write(ssl, offset, toSend);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
return -1;
}
@ -202,7 +202,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
r = SSL_write(ssl, s, toSend);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
return -1;
}

Loading…
Cancel
Save