> On 20 May 2021, at 13:00, Michael Paquier <mich...@paquier.xyz> wrote:
> - SSL_OP_NO_RENEGOTIATION controls that. It is present in OpenSSL >= > 1.1.1 and has been backported in 1.1.0h (it is not present in older > versions of 1.1.0). For OpenSSL 1.1.0 versions < 1.1.0h it will be silently accepted without actually doing anything, so we might want to combine it with the below. > - In 1.0.2 and older versions, OpenSSL has an undocumented flag called > SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS, able to do the same as far as I > understand. Well, it's documented in the changelog that it's undocumented (sigh..) along with a note stating that it works like SSL_OP_NO_RENEGOTIATION. Skimming the code it seems to ring true. For older OpenSSL versions there's also SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which controls renegotiation for an older OpenSSL reneg bug. That applies to 0.9.8 versions which we don't support, but a malicious user can craft whatever they feel like so maybe we should ensure it's off as well? > Could there be a point in backpatching that, in light of what we have done in > 48d23c72 in the past, though? I think there is merit to that idea, especially given the precedent. > Thoughts? + /* disallow SSL renegociation, option available since 1.1.0h */ s/renegociation/renegotiation/ +1 on disabling renegotiation, but I think it's worth considering using SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS as well. One could also argue that extending the comment with a note that it only applies to TLSv1.2 and lower could be helpful to readers who aren't familiar with TLS protocol versions. TLSv1.3 did away with renegotiation. -- Daniel Gustafsson https://vmware.com/