diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-11-20 23:48:30 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-11-21 08:30:18 +0100 |
commit | 59311bd3df5da6342312b5dc9b6c91fc2be77d4f (patch) | |
tree | ece79747847f892dd6ab0d35842e3a6c9606445f | |
parent | 6765e6d9e6a32bb4fc666d744cb57e2d55d4e13b (diff) |
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.
This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.
Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
-rw-r--r-- | lib/vtls/openssl.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 2f67595f2..f5c6fabb4 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -82,6 +82,13 @@ #include "curl_memory.h" #include "memdebug.h" +/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS + renegotiations when built with BoringSSL. Renegotiating is non-compliant + with HTTP/2 and "an extremely dangerous protocol feature". Beware. + +#define ALLOW_RENEG 1 + */ + #ifndef OPENSSL_VERSION_NUMBER #error "OPENSSL_VERSION_NUMBER not defined" #endif @@ -2604,7 +2611,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp); #endif -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG) SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely); #endif |