MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.

commit: e1f38dbb44ed7947a1036f7b267e9c2ca8aa9116 [log] [tgz]
author: Emeric Brun <ebrun@exceliance.fr> Mon Sep 03 20:36:47 2012 +0200
committer: Willy Tarreau <w@1wt.eu> Mon Sep 03 22:03:17 2012 +0200
tree: d148c6d4610fd32f4d7f278fcc0a617acf17c640
parent: 01f8e2f61b099b0d9270b84cd77cf091fe1d310d [diff] [blame]
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index c37bcdc..c630f08 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h

@@ -26,6 +26,7 @@
 
 extern struct data_ops ssl_sock;
 int ssl_sock_handshake(struct connection *conn, unsigned int flag);
+void ssl_sock_infocbk(const SSL *ssl, int where, int ret);
 
 #endif /* _PROTO_SSL_SOCK_H */
commit	e1f38dbb44ed7947a1036f7b267e9c2ca8aa9116	[log] [tgz]
author	Emeric Brun <ebrun@exceliance.fr>	Mon Sep 03 20:36:47 2012 +0200
committer	Willy Tarreau <w@1wt.eu>	Mon Sep 03 22:03:17 2012 +0200
tree	d148c6d4610fd32f4d7f278fcc0a617acf17c640
parent	01f8e2f61b099b0d9270b84cd77cf091fe1d310d [diff] [blame]