diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | src/connections.c | 2 | ||||
-rw-r--r-- | src/network.c | 2 | ||||
-rw-r--r-- | src/network_openssl.c | 4 |
4 files changed, 4 insertions, 5 deletions
@@ -24,6 +24,7 @@ NEWS * [ssl] use DH only if openssl supports it (fixes #2479) * [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470) * [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501) + * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491) - 1.4.32 - 2012-11-21 * Code cleanup with clang/sparse (fixes #2437, thx kibi) diff --git a/src/connections.c b/src/connections.c index 9bb40f0a..b478fd52 100644 --- a/src/connections.c +++ b/src/connections.c @@ -224,8 +224,8 @@ static int connection_handle_read_ssl(server *srv, connection *con) { len = SSL_read(con->ssl, b->ptr + read_offset, toread); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); connection_set_state(srv, con, CON_STATE_ERROR); - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); return -1; } diff --git a/src/network.c b/src/network.c index 8b0e8b44..e368a524 100644 --- a/src/network.c +++ b/src/network.c @@ -44,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) { if (0 != (where & SSL_CB_HANDSHAKE_START)) { connection *con = SSL_get_app_data(ssl); ++con->renegotiations; - } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { - ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } } #endif diff --git a/src/network_openssl.c b/src/network_openssl.c index 7bed710a..5eb612db 100644 --- a/src/network_openssl.c +++ b/src/network_openssl.c @@ -90,7 +90,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu r = SSL_write(ssl, offset, toSend); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); return -1; } @@ -202,7 +202,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu r = SSL_write(ssl, s, toSend); if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { - log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection"); return -1; } |