Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e1f38dbb44ed7947a1036f7b267e9c2ca8aa9116
commite1f38dbb44ed7947a1036f7b267e9c2ca8aa9116[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Mon Sep 03 20:36:47 2012 +0200
committerWilly Tarreau <w@1wt.eu>Mon Sep 03 22:03:17 2012 +0200
treed148c6d4610fd32f4d7f278fcc0a617acf17c640
parent01f8e2f61b099b0d9270b84cd77cf091fe1d310d [diff]
MEDIUM: ssl: protect against client-initiated renegociation

CVE-2009-3555 suggests that client-initiated renegociation should be
prevented in the middle of data. The workaround here consists in having
the SSL layer notify our callback about a handshake occurring, which in
turn causes the connection to be marked in the error state if it was
already considered established (which means if a previous handshake was
completed). The result is that the connection with the client is immediately
aborted and any pending data are dropped.
3 files changed
tree: d148c6d4610fd32f4d7f278fcc0a617acf17c640
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. LICENSE
  11. Makefile
  12. Makefile.bsd
  13. Makefile.osx
  14. README
  15. ROADMAP
  16. SUBVERS
  17. TODO
  18. VERDATE
  19. VERSION