aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-11-20 23:48:30 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-11-21 08:30:18 +0100
commit59311bd3df5da6342312b5dc9b6c91fc2be77d4f (patch)
treeece79747847f892dd6ab0d35842e3a6c9606445f
parent6765e6d9e6a32bb4fc666d744cb57e2d55d4e13b (diff)
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293
-rw-r--r--lib/vtls/openssl.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2f67595f2..f5c6fabb4 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -82,6 +82,13 @@
#include "curl_memory.h"
#include "memdebug.h"
+/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
+ renegotiations when built with BoringSSL. Renegotiating is non-compliant
+ with HTTP/2 and "an extremely dangerous protocol feature". Beware.
+
+#define ALLOW_RENEG 1
+ */
+
#ifndef OPENSSL_VERSION_NUMBER
#error "OPENSSL_VERSION_NUMBER not defined"
#endif
@@ -2604,7 +2611,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG)
SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely);
#endif