> Le 21 janv. 2019 à 19:07, Dirkjan Bussink <d.buss...@gmail.com> a écrit : > > Hi Manu, > >> On 21 Jan 2019, at 09:49, Emmanuel Hocdet <m...@gandi.net> wrote: >> >> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. >> As workaround, SSL_OP_NO_RENEGOTIATION could be set to 0 in openssl-compat.h. > > Hmm, then we will need a different #define though since we can’t rely own the > constant not being defined in that case to disable the logic. We would need a > separate way to detect this then. Is there a good example of this or should I > change the logic then to version checks instead? And how about LibreSSL in > that case? > > Does BoringSSL need any of the logic in the first place? There’s not really > versions of it, so is the target there always current master or something > else? >
No need to change, SSL_OP_NO_RENEGOTIATION is now in Boringssl, thanks Adam, and renegotiation is disabled by default. For LibreSSL, no TLSv1.3, no SSL_OP_NO_RENEGOTIATION. ++ Manu
