Re: svn commit: r1877397 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c

Tue, 05 May 2020 06:23:29 -0700 


On 5/5/20 2:40 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Tue May  5 12:40:38 2020
> New Revision: 1877397
> 
> URL: http://svn.apache.org/viewvc?rev=1877397&view=rev
> Log:
> mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to
> block client-initiated renegotiation with TLSv1.2 and earlier.
> 
> * modules/ssl/ssl_private.h: Define modssl_reneg_state enum,
>   modssl_set_reneg_state function.
> 
> * modules/ssl/ssl_engine_io.c (bio_filter_out_write,
>   bio_filter_in_read): #ifdef-out reneg protection if
>   SSL_OP_NO_RENEGOTATION is defined.
> 
> * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
>   Enable SSL_OP_NO_RENEGOTATION.
>   (ssl_init_ctx_callbacks): Only enable the "info" callback if
>   debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
>   
> * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
>   modssl_set_reneg_state to set the reneg protection mode.
>   (ssl_hook_Access_modern): Drop manipulation of the reneg mode which
>   does nothing for TLSv1.3 already.
>   (ssl_callback_Info): Only enable reneg protection if
>   SSL_OP_NO_RENEGOTATION is *not* defined.
> 
> * modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h
>     httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> 

> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1877397&r1=1877396&r2=1877397&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue May  5 12:40:38 2020

> @@ -1182,8 +1182,6 @@ static int ssl_hook_Access_modern(reques
>                  return HTTP_FORBIDDEN;
>              }
>              
> -            old_state = sslconn->reneg_state;
> -            sslconn->reneg_state = RENEG_ALLOW;
>              modssl_set_app_data2(ssl, r);
>  
>              SSL_do_handshake(ssl);
> @@ -1193,7 +1191,6 @@ static int ssl_hook_Access_modern(reques
>               */
>              SSL_peek(ssl, peekbuf, 0);
>  
> -            sslconn->reneg_state = old_state;
>              modssl_set_app_data2(ssl, NULL);
>  
>              /*

I don't understand why this can be removed unconditionally.

Regards

RĂ¼diger























					Reply via email to