[ssl] accept ssl renegotiations if they are not disabled (fixes #2491)

* don't fiddle with ssl internals * renegotiations should be safe with recent openssl versions, openssl itself should reject unsafe renegotiations From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2890 152afb58-edef-0310-8abb-c4023f1b3aa9
9 years ago · 6d4d2118c3
4 changed files with 4 additions and 5 deletions
--- a/1
+++ b/1
@ -24,6 +24,7 @@ NEWS
  * [ssl] use DH only if openssl supports it (fixes #2479)
  * [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
  * [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
+  * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)

 - 1.4.32 - 2012-11-21
  * Code cleanup with clang/sparse (fixes #2437, thx kibi)
--- a/src/connections.c
+++ b/src/connections.c
@ -224,8 +224,8 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
 		len = SSL_read(con->ssl, b->ptr + read_offset, toread);

 		if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 			connection_set_state(srv, con, CON_STATE_ERROR);
-			log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
 			return -1;
 		}

--- a/src/network.c
+++ b/src/network.c
@ -44,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) {
 	if (0 != (where & SSL_CB_HANDSHAKE_START)) {
 		connection *con = SSL_get_app_data(ssl);
 		++con->renegotiations;
-	} else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
-		ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
 	}
 }
 #endif
--- a/src/network_openssl.c
+++ b/src/network_openssl.c
@ -90,7 +90,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
 			r = SSL_write(ssl, offset, toSend);

 			if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
-				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
+				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 				return -1;
 			}

@ -202,7 +202,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu
 				r = SSL_write(ssl, s, toSend);

 				if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
-					log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
+					log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
 					return -1;
 				}