diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2017-05-03 15:15:56 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2017-05-03 15:15:56 +0300 |
| commit | 99611988792cbc6a3355bb169bbc797bb6d6310f (patch) | |
| tree | 583686df5f8f963e618c03b45cefb43ae617d99b | |
| parent | 8449f750e62cd229026e9df3bd023ec7e073a7d4 (diff) | |
| download | nginx-99611988792cbc6a3355bb169bbc797bb6d6310f.tar.gz nginx-99611988792cbc6a3355bb169bbc797bb6d6310f.tar.bz2 | |
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode,
but when using OpenSSL 1.0.2 or older versions it was additionally disabled
by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
| -rw-r--r-- | src/event/ngx_event_openssl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index fdbd0c95d..2c4e11400 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1300,7 +1300,7 @@ ngx_ssl_handshake(ngx_connection_t *c) #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS /* initial handshake done, disable renegotiation (CVE-2009-3555) */ - if (c->ssl->connection->s3) { + if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } |