From: Dirkjan Bussink Date: Mon, 21 Jan 2019 17:35:03 +0000 (-0800) Subject: BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages X-Git-Tag: v2.0-dev1~179 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=526894ff3925d272c13e57926aa6b5d9d8ed5ee3;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback that is used to verify renegotiation is disabled. This means that these KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS 1.2 and earlier negotiation. So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having a manual check, trust OpenSSL and disable the check. This means that TLS 1.3 KeyUpdate messages will work properly. Reported-By: Adam Langley --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9153843be8..99d2a11fae 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1468,6 +1468,10 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret) BIO *write_bio; (void)ret; /* shut gcc stupid warning */ +#ifndef SSL_OP_NO_RENEGOTIATION + /* Please note that BoringSSL defines this macro to zero so don't + * change this to #if and do not assign a default value to this macro! + */ if (where & SSL_CB_HANDSHAKE_START) { /* Disable renegotiation (CVE-2009-3555) */ if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) { @@ -1475,6 +1479,7 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret) conn->err_code = CO_ER_SSL_RENEG; } } +#endif if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) { @@ -3895,6 +3900,11 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) options |= SSL_OP_NO_TICKET; if (bind_conf->ssl_options & BC_SSL_O_PREF_CLIE_CIPH) options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; + +#ifdef SSL_OP_NO_RENEGOTIATION + options |= SSL_OP_NO_RENEGOTIATION; +#endif + SSL_CTX_set_options(ctx, options); #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)