Commit d40ec4ab authored Nov 10, 2015 by Matt Caswell

Stop DTLS servers asking for unsafe legacy renegotiation

If a DTLS client that does not support secure renegotiation connects to an
OpenSSL DTLS server then, by default, renegotiation is disabled. If a
server application attempts to initiate a renegotiation then OpenSSL is
supposed to prevent this. However due to a discrepancy between the TLS and
DTLS code, the server sends a HelloRequest anyway in DTLS.

This is not a security concern because the handshake will still fail later
in the process when the client responds with a ClientHello.

Reviewed-by: Tim Hudson <tjh@openssl.org>

parent 15a7164e

ssl/d1_srvr.c

+13 −0

Original line number	Diff line number	Diff line
		@@ -285,6 +285,19 @@ int dtls1_accept(SSL *s)
		ssl3_init_finished_mac(s);
		s->state = SSL3_ST_SR_CLNT_HELLO_A;
		s->ctx->stats.sess_accept++;
		} else if (!s->s3->send_connection_binding &&
		!(s->options &
		SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
		/*
		* Server attempting to renegotiate with client that doesn't
		* support secure renegotiation.
		*/
		SSLerr(SSL_F_DTLS1_ACCEPT,
		SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
		ret = -1;
		s->state = SSL_ST_ERR;
		goto end;
		} else {
		/*
		* s->state == SSL_ST_RENEGOTIATE, we will just send a