You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2016/02/12 11:03:48 UTC
svn commit: r1729968 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: rjung
Date: Fri Feb 12 10:03:48 2016
New Revision: 1729968
URL: http://svn.apache.org/viewvc?rev=1729968&view=rev
Log:
Support for OpenSSL 1.1.0:
- fix rejecting client initiated renegotiations
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1729968&r1=1729967&r2=1729968&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Feb 12 10:03:48 2016
@@ -2132,17 +2132,19 @@ void ssl_callback_Info(const SSL *ssl, i
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
- /* XXX: OpenSSL 1.1.0: Which state machine states to use instead of
- * SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A ? */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
int state = SSL_get_state((SSL *)ssl);
if (state == SSL3_ST_SR_CLNT_HELLO_A
|| state == SSL23_ST_SR_CLNT_HELLO_A) {
+#else
+ if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) {
+#endif
scr->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation");
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
}
#endif
}