From: Rainer Jung <rjung@apache.org>
Date: Wed, 10 Aug 2016 20:07:20 +0000 (+0000)
Subject: Support for OpenSSL 1.1.0:
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab225f0f1c2d35a721777609dc4d4231dc4aba6e;p=thirdparty%2Fapache%2Fhttpd.git

Support for OpenSSL 1.1.0:
- fix rejecting client initiated renegotiations

Backport of r1729968 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755830 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 17f28942716..37a769eb6c3 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2134,17 +2134,19 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
     /* If the reneg state is to reject renegotiations, check the SSL
      * state machine and move to ABORT if a Client Hello is being
      * read. */
-    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
-    /* XXX: OpenSSL 1.1.0: Which state machine states to use instead of
-     * SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A ? */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
+    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
         int state = SSL_get_state((SSL *)ssl);
 
         if (state == SSL3_ST_SR_CLNT_HELLO_A
             || state == SSL23_ST_SR_CLNT_HELLO_A) {
+#else
+    if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) {
+#endif
             scr->reneg_state = RENEG_ABORT;
             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
                           "rejecting client initiated renegotiation");
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         }
 #endif
     }