On 5/5/20 6:04 PM, Joe Orton wrote:
> On Tue, May 05, 2020 at 03:23:18PM +0200, Ruediger Pluem wrote:
>> On 5/5/20 2:40 PM, jor...@apache.org wrote:
>>> Author: jorton
>>> Date: Tue May  5 12:40:38 2020
>>> New Revision: 1877397
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1877397&view=rev
>>> Log:
>>> mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to
>>> block client-initiated renegotiation with TLSv1.2 and earlier.
> ...
>>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>> URL: 
>>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1877397&r1=1877396&r2=1877397&view=diff
>>> ==============================================================================
>>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue May  5 12:40:38 
>>> 2020
>>
>>> @@ -1182,8 +1182,6 @@ static int ssl_hook_Access_modern(reques
>>>                  return HTTP_FORBIDDEN;
>>>              }
>>>              
>>> -            old_state = sslconn->reneg_state;
>>> -            sslconn->reneg_state = RENEG_ALLOW;
>>>              modssl_set_app_data2(ssl, r);
>>>  
>>>              SSL_do_handshake(ssl);
>>> @@ -1193,7 +1191,6 @@ static int ssl_hook_Access_modern(reques
>>>               */
>>>              SSL_peek(ssl, peekbuf, 0);
>>>  
>>> -            sslconn->reneg_state = old_state;
>>>              modssl_set_app_data2(ssl, NULL);
>>>  
>>>              /*
>>
>> I don't understand why this can be removed unconditionally.
> 
> It is removed unconditionally in ssl_hook_Access_modern, which is used 
> only for TLSv1.3.  The aim of this code was to protect against 

Thanks for the pointer. I missed the

#if SSL_HAVE_PROTOCOL_TLSV1_3

in front of ssl_hook_Access_modern.

> 
> Does that make sense?

Yes :-)

Regards

RĂ¼diger

Reply via email to