mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to

block client-initiated renegotiation with TLSv1.2 and earlier.

* modules/ssl/ssl_private.h: Define modssl_reneg_state enum,
  modssl_set_reneg_state function.

* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
  bio_filter_in_read): #ifdef-out reneg protection if
  SSL_OP_NO_RENEGOTATION is defined.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
  Enable SSL_OP_NO_RENEGOTATION.
  (ssl_init_ctx_callbacks): Only enable the "info" callback if
  debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
  
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
  modssl_set_reneg_state to set the reneg protection mode.
  (ssl_hook_Access_modern): Drop manipulation of the reneg mode which
  does nothing for TLSv1.3 already.
  (ssl_callback_Info): Only enable reneg protection if
  SSL_OP_NO_RENEGOTATION is *not* defined.

* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877397 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_io.c

@@ -211,11 +211,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
 
     BIO_clear_retry_flags(bio);
 
+#ifndef SSL_OP_NO_RENEGOTIATION
     /* Abort early if the client has initiated a renegotiation. */
     if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         outctx->rc = APR_ECONNABORTED;
         return -1;
     }
+#endif
 
     ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
                   "bio_filter_out_write: %i bytes", inl);
@@ -514,11 +516,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
 
     BIO_clear_retry_flags(bio);
 
+#ifndef SSL_OP_NO_RENEGOTIATION
     /* Abort early if the client has initiated a renegotiation. */
     if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         inctx->rc = APR_ECONNABORTED;
         return -1;
     }
+#endif
 
     if (!inctx->bb) {
         inctx->rc = APR_EOF;