www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_ssl: disable check for client initiated renegotiations with TLS 1.3.

Browse Source 
This is already forbidden by the protocol, enforced by OpenSSL, and the
current logic can't work (ssl_callback_Info() may be called multiple times
with TLS 1.3).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833588 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2018-06-15 11:12:19 +00:00
parent e6c090ea5a
commit 35ca22d231
1 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
modules/ssl/ssl_engine_kernel.c
View File

@@ -2238,31 +2238,43 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
{ {
conn_rec *c; conn_rec *c;
server_rec *s; server_rec *s;
SSLConnRec *scr;
/* Retrieve the conn_rec and the associated SSLConnRec. */ /* Retrieve the conn_rec and the associated SSLConnRec. */
if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
return; return;
} }
if ((scr = myConnConfig(c)) == NULL) { /* With TLS 1.3 this callback may be called multiple times on the first
return; * negotiation, so the below logic to detect renegotiations can't work.
} * Fortunately renegotiations are forbidden starting with TLS 1.3, and
* this is enforced by OpenSSL so there's nothing to be done here.
*/
#if SSL_HAVE_PROTOCOL_TLSV1_3
if (SSL_version(ssl) < TLS1_3_VERSION)
#endif
{
SSLConnRec *sslconn;
/* If the reneg state is to reject renegotiations, check the SSL if ((sslconn = myConnConfig(c)) == NULL) {
* state machine and move to ABORT if a Client Hello is being return;
* read. */ }
if (!scr->is_proxy &&
(where & SSL_CB_HANDSHAKE_START) && /* If the reneg state is to reject renegotiations, check the SSL
scr->reneg_state == RENEG_REJECT) { * state machine and move to ABORT if a Client Hello is being
scr->reneg_state = RENEG_ABORT; * read. */
if (!sslconn->is_proxy &&
(where & SSL_CB_HANDSHAKE_START) &&
sslconn->reneg_state == RENEG_REJECT) {
sslconn->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation"); "rejecting client initiated renegotiation");
} }
/* If the first handshake is complete, change state to reject any /* If the first handshake is complete, change state to reject any
* subsequent client-initiated renegotiation. */ * subsequent client-initiated renegotiation. */
else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { else if ((where & SSL_CB_HANDSHAKE_DONE)
scr->reneg_state = RENEG_REJECT; && sslconn->reneg_state == RENEG_INIT) {
sslconn->reneg_state = RENEG_REJECT;
}
} }
s = mySrvFromConn(c); s = mySrvFromConn(c);