[ssl] accept ssl renegotiations if they are not disabled (fixes #2491)

* don't fiddle with ssl internals
 * renegotiations should be safe with recent openssl versions,
   openssl itself should reject unsafe renegotiations

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2890 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -24,6 +24,7 @@ NEWS
   * [ssl] use DH only if openssl supports it (fixes #2479)
   * [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
   * [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
+  * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
 
 - 1.4.32 - 2012-11-21
   * Code cleanup with clang/sparse (fixes #2437, thx kibi)

src/connections.c

@@ -224,8 +224,8 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
 		len = SSL_read(con->ssl, b->ptr + read_offset, toread);
 
 		if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 			connection_set_state(srv, con, CON_STATE_ERROR);
-			log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
 			return -1;
 		}
 

src/network.c

@@ -44,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) {
 	if (0 != (where & SSL_CB_HANDSHAKE_START)) {
 		connection *con = SSL_get_app_data(ssl);
 		++con->renegotiations;
-	} else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
-		ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
 	}
 }
 #endif

src/network_openssl.c

@@ -90,7 +90,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
 			r = SSL_write(ssl, offset, toSend);
 
 			if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
-				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
+				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 				return -1;
 			}
 
@@ -202,7 +202,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
 				r = SSL_write(ssl, s, toSend);
 
 				if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
-					log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
+					log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 					return -1;
 				}