Loading CHANGES +11 −0 Original line number Diff line number Diff line Loading @@ -863,6 +863,17 @@ Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] *) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by draft-ietf-tls-renegotiation. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. Loading ssl/s3_pkt.c +34 −1 Original line number Diff line number Diff line Loading @@ -1139,7 +1139,25 @@ start: * now try again to obtain the (application) data we were asked for */ goto start; } /* If we are a server and get a client hello when renegotiation isn't * allowed send back a no renegotiation alert and carry on. * WARNING: experimental code, needs reviewing (steve) */ if (s->server && SSL_is_init_finished(s) && !s->s3->send_connection_binding && (s->version > SSL3_VERSION) && (s->s3->handshake_fragment_len >= 4) && (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && (s->session != NULL) && (s->session->cipher != NULL) && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { /*s->s3->handshake_fragment_len = 0;*/ rr->length = 0; ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } if (s->s3->alert_fragment_len >= 2) { int alert_level = s->s3->alert_fragment[0]; Loading Loading @@ -1169,6 +1187,21 @@ start: s->shutdown |= SSL_RECEIVED_SHUTDOWN; return(0); } /* This is a warning but we receive it if we requested * renegotiation and the peer denied it. Terminate with * a fatal alert because if application tried to * renegotiatie it presumably had a good reason and * expects it to succeed. * * In future we might have a renegotiation where we * don't care if the peer refused it where we carry on. */ else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); goto f_err; } } else if (alert_level == 2) /* fatal */ { Loading Loading
CHANGES +11 −0 Original line number Diff line number Diff line Loading @@ -863,6 +863,17 @@ Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] *) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by draft-ietf-tls-renegotiation. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. Loading
ssl/s3_pkt.c +34 −1 Original line number Diff line number Diff line Loading @@ -1139,7 +1139,25 @@ start: * now try again to obtain the (application) data we were asked for */ goto start; } /* If we are a server and get a client hello when renegotiation isn't * allowed send back a no renegotiation alert and carry on. * WARNING: experimental code, needs reviewing (steve) */ if (s->server && SSL_is_init_finished(s) && !s->s3->send_connection_binding && (s->version > SSL3_VERSION) && (s->s3->handshake_fragment_len >= 4) && (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && (s->session != NULL) && (s->session->cipher != NULL) && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { /*s->s3->handshake_fragment_len = 0;*/ rr->length = 0; ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } if (s->s3->alert_fragment_len >= 2) { int alert_level = s->s3->alert_fragment[0]; Loading Loading @@ -1169,6 +1187,21 @@ start: s->shutdown |= SSL_RECEIVED_SHUTDOWN; return(0); } /* This is a warning but we receive it if we requested * renegotiation and the peer denied it. Terminate with * a fatal alert because if application tried to * renegotiatie it presumably had a good reason and * expects it to succeed. * * In future we might have a renegotiation where we * don't care if the peer refused it where we carry on. */ else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); goto f_err; } } else if (alert_level == 2) /* fatal */ { Loading
