Added upstream patch to improve TLS 1.3 / OpenSSL 1.1.1 support.
Philipp Huebner
5 years ago
| 0 | From 9b25543cf1200e3b216996598771962461ea51c8 Mon Sep 17 00:00:00 2001 | |
| 1 | From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pchmielowski@process-one.net> | |
| 2 | Date: Mon, 1 Oct 2018 18:25:36 +0200 | |
| 3 | Subject: [PATCH] Use SSL_OP_NO_RENEGOTIATION when available | |
| 4 | ||
| 5 | Our own method for detecting client renegotiations causes problems in | |
| 6 | openssl1.1.1 and TLS1.3, so let's make openssl care about handling this. | |
| 7 | --- | |
| 8 | c_src/fast_tls.c | 8 ++++++++ | |
| 9 | 1 file changed, 8 insertions(+) | |
| 10 | ||
| 11 | diff --git a/c_src/fast_tls.c b/c_src/fast_tls.c | |
| 12 | index 7799e53..e2d9a9c 100644 | |
| 13 | --- a/c_src/fast_tls.c | |
| 14 | +++ b/c_src/fast_tls.c | |
| 15 | @@ -386,12 +386,14 @@ static int setup_dh(SSL_CTX *ctx, char *dh_file) { | |
| 16 | ||
| 17 | #endif | |
| 18 | ||
| 19 | +#ifndef SSL_OP_NO_RENEGOTIATION | |
| 20 | static void ssl_info_callback(const SSL *s, int where, int ret) { | |
| 21 | state_t *d = (state_t *) SSL_get_ex_data(s, ssl_index); | |
| 22 | if ((where & SSL_CB_HANDSHAKE_START)) { | |
| 23 | d->handshakes++; | |
| 24 | } | |
| 25 | } | |
| 26 | +#endif | |
| 27 | ||
| 28 | static char *create_ssl_for_cert(char *, state_t *); | |
| 29 | ||
| 30 | @@ -553,7 +555,9 @@ static SSL_CTX *create_new_ctx(char *cert_file, char *ciphers, | |
| 31 | #endif | |
| 32 | SSL_CTX_set_verify(ctx, verifyopts, verify_callback); | |
| 33 | ||
| 34 | +#ifndef SSL_OP_NO_RENEGOTIATION | |
| 35 | SSL_CTX_set_info_callback(ctx, &ssl_info_callback); | |
| 36 | +#endif | |
| 37 | ||
| 38 | *err_str = NULL; | |
| 39 | return ctx; | |
| 40 | @@ -763,6 +767,10 @@ static ERL_NIF_TERM open_nif(ErlNifEnv *env, int argc, | |
| 41 | SSL_set_connect_state(state->ssl); | |
| 42 | } | |
| 43 | ||
| 44 | +#ifdef SSL_OP_NO_RENEGOTIATION | |
| 45 | + SSL_set_options(state->ssl, SSL_OP_NO_RENEGOTIATION); | |
| 46 | +#endif | |
| 47 | + | |
| 48 | ERL_NIF_TERM result = enif_make_resource(env, state); | |
| 49 | enif_release_resource(state); | |
| 50 | return OK_T(result); |