diff options
author | Stefan Bühler <stbuehler@web.de> | 2013-08-30 13:14:48 +0000 |
---|---|---|
committer | Stefan Bühler <stbuehler@web.de> | 2013-08-30 13:14:48 +0000 |
commit | 6d4d2118c3302f2feffc242abfa75bfa5608e7d2 (patch) | |
tree | cbfc7ffb55f95b184dc5a860dbd9177bb0718bb5 /src | |
parent | 292b8d621b7b561b567b8a1cde4a52974fa2bd36 (diff) | |
download | lighttpd-git-6d4d2118c3302f2feffc242abfa75bfa5608e7d2.tar.gz |
[ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
* don't fiddle with ssl internals
* renegotiations should be safe with recent openssl versions,
openssl itself should reject unsafe renegotiations
From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2890 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'src')
-rw-r--r-- | src/connections.c | 2 | ||||
-rw-r--r-- | src/network.c | 2 | ||||
-rw-r--r-- | src/network_openssl.c | 4 |
3 files changed, 3 insertions, 5 deletions
diff --git a/src/connections.c b/src/connections.c index 9bb40f0a..b478fd52 100644 --- a/src/connections.c +++ b/src/connections.c @@ -224,8 +224,8 @@ static int connection_handle_read_ssl(server *srv, connection *con) { len = SSL_read(con->ssl, b->ptr + read_offset, toread); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); connection_set_state(srv, con, CON_STATE_ERROR); - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); return -1; } diff --git a/src/network.c b/src/network.c index 8b0e8b44..e368a524 100644 --- a/src/network.c +++ b/src/network.c @@ -44,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) { if (0 != (where & SSL_CB_HANDSHAKE_START)) { connection *con = SSL_get_app_data(ssl); ++con->renegotiations; - } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { - ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } } #endif diff --git a/src/network_openssl.c b/src/network_openssl.c index 7bed710a..5eb612db 100644 --- a/src/network_openssl.c +++ b/src/network_openssl.c @@ -90,7 +90,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu r = SSL_write(ssl, offset, toSend); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); return -1; } @@ -202,7 +202,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu r = SSL_write(ssl, s, toSend); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); return -1; } |