Commit df47f551 authored by Rainer Jung's avatar Rainer Jung
Browse files

Support for OpenSSL 1.1.0: 

- fix rejecting client initiated renegotiations

Backport of r1729968 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755830 13f79535-47bb-0310-9956-ffa450edef68
parent 1c715947

modules/ssl/ssl_engine_kernel.c

+5 −3
Original line number Diff line number Diff line
@@ -2134,17 +2134,19 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) 
    /* If the reneg state is to reject renegotiations, check the SSL

     * state machine and move to ABORT if a Client Hello is being

     * read. */

    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {

    /* XXX: OpenSSL 1.1.0: Which state machine states to use instead of

     * SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A ? */

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {

        int state = SSL_get_state((SSL *)ssl);



        if (state == SSL3_ST_SR_CLNT_HELLO_A

            || state == SSL23_ST_SR_CLNT_HELLO_A) {

#else

    if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) {

#endif

            scr->reneg_state = RENEG_ABORT;

            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)

                          "rejecting client initiated renegotiation");

#if OPENSSL_VERSION_NUMBER < 0x10100000L

        }

#endif

    }