Now it is not possible to disable sending renegotiation_info extension from server. The only way to do it - is to disable TLS extension completelly, what may not be considered as acceptable.
But this is required for compatibility with clients, which can't understand this extension (but do require other extensions). Among others, it is Windows clients, which do not support KB980436 correctly (KB980436 is a Windows Update, implemented RFC5746 ( http://tools.ietf.org/html/rfc5746) "TLS Renegotiation Indication Extension" http://support.microsoft.com/kb/980436 When this update is not installed, and server do send renegotiation_info extension - they works. But if this update is installed - they crash/not works when received renegotiation_info extension. :( Supplied patch introduces new option SSL_OP_DO_NOT_SEND_RI. When it set to context, renegotiation_info extension will not be sent. Please note, this will not disable secure renegotiation, but just disable sending renegotiation_info extension. (which may be considered as equal). This is enabled bu specifying option -not_send_ri to s_server and s_client In additional, patch introduced option -handle_cpro_bug to s_server, which explicitly enables option SSL_OP_CRYPTOPRO_TLSEXT_BUG. Yes, it also possible by specifying -bugs option to s_server, but presence of SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER in SSL_OP_ALL prevents server from parsing ClientHello at all: SSL_accept:error in SSLv3 read client hello B 3066799772:error:1408F044:SSL routines:SSL3_GET_RECORD:internal error:s3_pkt.c:308: In order to apply patch go to OpenSSL working directory and execute follwing command: patch -p1 -l -u -b -i not_send_reneg_info.patch Please let me know if you have any questions. Andrey. P.S. There is no more slots for new SSL_OP_* - I used the last available one! :(Now it is not possible to disable sending renegotiation_info extension from server.
The only way to do it - is to disable TLS extension completelly, what may not be considered as acceptable.
But this is required for compatibility with clients, which can't understand this extension
(but do require other extensions).
Among others, it is Windows clients, which do not support KB980436 correctly
(KB980436 is a Windows Update, implemented RFC5746 (http://tools.ietf.org/html/rfc5746)
"TLS Renegotiation Indication Extension"
http://support.microsoft.com/kb/980436
When this update is not installed, and server do send renegotiation_info extension - they works.
But if this update is installed - they crash/not works when received renegotiation_info extension. :(
Supplied patch introduces new option SSL_OP_DO_NOT_SEND_RI.
When it set to context, renegotiation_info extension will not be sent.
Please note, this will not disable secure renegotiation, but just disable sending renegotiation_info extension.
(which may be considered as equal).
This is enabled bu specifying option
-not_send_ri
to s_server and s_client
In additional, patch introduced option -handle_cpro_bug to s_server, which explicitly enables option SSL_OP_CRYPTOPRO_TLSEXT_BUG.
Yes, it also possible by specifying -bugs option to s_server, but presence of SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER in SSL_OP_ALL prevents server from parsing ClientHello at all:
SSL_accept:error in SSLv3 read client hello B
3066799772:error:1408F044:SSL routines:SSL3_GET_RECORD:internal error:s3_pkt.c:308:
In order to apply patch go to OpenSSL working directory and execute follwing command:
patch -p1 -l -u -b -i not_send_reneg_info.patch
Please let me know if you have any questions.
Andrey.
P.S. There is no more slots for new SSL_OP_* - I used the last available one! :(
not_send_reneg_info.patch
Description: Binary data
