mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-18 14:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

openssl: support BoringSSL TLS renegotiation

Browse Source 
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
This commit is contained in:
Jérémy Rocher 2018-11-09 14:05:26 +01:00 committed by Daniel Stenberg
parent a1aabed817
commit 27cb384679
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/vtls/openssl.c
View File

@ -2610,6 +2610,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
#ifdef OPENSSL_IS_BORINGSSL
SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely);
#endif
SSL_set_connect_state(BACKEND->handle);
BACKEND->server_cert = 0x0;