[CC-ing Dennis since he does not seem to be subscribed to dev@]
On Fri, Jun 15, 2018 at 9:38 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Fri, Jun 15, 2018 at 8:59 AM, Yann Ylavic <ylavic....@gmail.com> wrote: >>> On Fri, Jun 15, 2018 at 3:06 AM, Dennis Clarke <dcla...@blastwave.org> >>> wrote: >>>> >>>> [Fri Jun 15 00:59:59.788742 2018] [ssl:error] [pid 2250:tid 27] [client >>>> 188.8.131.52:34466] AH02042: rejecting client initiated renegotiation >> >> This suggests that with TLS 1.3, unlike with previous protocols, the >> ssl_callback_Info callback is always called by openssl (some specific >> extension only?). httpd is not prepared to that and thinks it's a >> client renegotiation. >> >> I didn't look at TLS 1.3 yet, but something along this looks seems plausible. > > For instance, multiple session tickets might call the callback more than once: > https://github.com/openssl/openssl/blob/master/ssl/statem/statem_srvr.c#L3785 > > Since renegotiations are forbidden by TLS 1.3 in the first place > (enforced by openssl probably), I think that the check for > renegotiations should be disabled in our ssl_callback_Info (for TLS > 1.3).