diff options
| author | jsing <> | 2025-03-12 14:03:55 +0000 |
|---|---|---|
| committer | jsing <> | 2025-03-12 14:03:55 +0000 |
| commit | cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af (patch) | |
| tree | 115a09cea80866af43519a40dfdd3e9409e4cc96 /src/lib/libssl/ssl.h | |
| parent | 93373bbf82b95dab0336951cf191b5fecde0597c (diff) | |
| download | openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.gz openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.bz2 openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.zip | |
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a
SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an
active connection (client initiated renegotation). Then in May 2017 OpenSSL
added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION
warning alert if a server receives a ClientHello on an active connection
(client initiated renegotation), or a client receives a HelloRequest
(server requested renegotation). This option also causes calls to
SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021,
OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps
SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages
(apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard).
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION,
primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION
is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION
ineffective. The rest of the behaviour should match OpenSSL, with the
exception of ClientHellos triggering fatal alerts instead of warnings.
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl.h')
| -rw-r--r-- | src/lib/libssl/ssl.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 062c6dcbb9..a1ed22b778 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.246 2025/03/09 15:53:36 tb Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.247 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -389,6 +389,10 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, | |||
| 389 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L | 389 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L |
| 390 | /* Disallow client initiated renegotiation. */ | 390 | /* Disallow client initiated renegotiation. */ |
| 391 | #define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L | 391 | #define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L |
| 392 | /* Disallow client and server initiated renegotiation. */ | ||
| 393 | #define SSL_OP_NO_RENEGOTIATION 0x00040000L | ||
| 394 | /* Allow client initiated renegotiation. */ | ||
| 395 | #define SSL_OP_ALLOW_CLIENT_RENEGOTIATION 0x00080000L | ||
| 392 | /* If set, always create a new key when using tmp_dh parameters */ | 396 | /* If set, always create a new key when using tmp_dh parameters */ |
| 393 | #define SSL_OP_SINGLE_DH_USE 0x00100000L | 397 | #define SSL_OP_SINGLE_DH_USE 0x00100000L |
| 394 | /* Set on servers to choose the cipher according to the server's | 398 | /* Set on servers to choose the cipher according to the server's |