From 59311bd3df5da6342312b5dc9b6c91fc2be77d4f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Nov 2018 23:48:30 +0100 Subject: openssl: disable TLS renegotiation with BoringSSL Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293 --- lib/vtls/openssl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 2f67595f2..f5c6fabb4 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -82,6 +82,13 @@ #include "curl_memory.h" #include "memdebug.h" +/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS + renegotiations when built with BoringSSL. Renegotiating is non-compliant + with HTTP/2 and "an extremely dangerous protocol feature". Beware. + +#define ALLOW_RENEG 1 + */ + #ifndef OPENSSL_VERSION_NUMBER #error "OPENSSL_VERSION_NUMBER not defined" #endif @@ -2604,7 +2611,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp); #endif -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG) SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely); #endif -- cgit v1.2.1