openssl: disable TLS renegotiation with BoringSSL

Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
This commit is contained in:
Daniel Stenberg 2018-11-20 23:48:30 +01:00
parent 6765e6d9e6
commit 59311bd3df
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -82,6 +82,13 @@
#include "curl_memory.h"
#include "memdebug.h"
/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
renegotiations when built with BoringSSL. Renegotiating is non-compliant
with HTTP/2 and "an extremely dangerous protocol feature". Beware.
#define ALLOW_RENEG 1
*/
#ifndef OPENSSL_VERSION_NUMBER
#error "OPENSSL_VERSION_NUMBER not defined"
#endif
@ -2604,7 +2611,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
#ifdef OPENSSL_IS_BORINGSSL
#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG)
SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely);
#endif