Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 526894ff3925d272c13e57926aa6b5d9d8ed5ee3
commit526894ff3925d272c13e57926aa6b5d9d8ed5ee3[log] [tgz]
authorDirkjan Bussink <d.bussink@gmail.com>Mon Jan 21 09:35:03 2019 -0800
committerWilly Tarreau <w@1wt.eu>Wed Jan 23 09:51:22 2019 +0100
tree6d9e56cc91f9342dfbaf9f4504a22f4f0e751e1f
parent774c486cece942570b6a9d16afe236a16ee12079 [diff]
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages

In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback
that is used to verify renegotiation is disabled. This means that these
KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is
available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS
1.2 and earlier negotiation.

So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having
a manual check, trust OpenSSL and disable the check. This means that TLS
1.3 KeyUpdate messages will work properly.

Reported-By: Adam Langley <agl@imperialviolet.org>
1 file changed
tree: 6d9e56cc91f9342dfbaf9f4504a22f4f0e751e1f
  1. .github/
  2. contrib/
  3. doc/
  4. ebtree/
  5. examples/
  6. include/
  7. reg-tests/
  8. scripts/
  9. src/
  10. tests/
  11. .gitignore
  12. CHANGELOG
  13. CONTRIBUTING
  14. INSTALL
  15. LICENSE
  16. MAINTAINERS
  17. Makefile
  18. README
  19. ROADMAP
  20. SUBVERS
  21. VERDATE
  22. VERSION