Stop DTLS servers asking for unsafe legacy renegotiation
If a DTLS client that does not support secure renegotiation connects to an OpenSSL DTLS server then, by default, renegotiation is disabled. If a server application attempts to initiate a renegotiation then OpenSSL is supposed to prevent this. However due to a discrepancy between the TLS and DTLS code, the server sends a HelloRequest anyway in DTLS. This is not a security concern because the handshake will still fail later in the process when the client responds with a ClientHello. Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell
parent
15a7164eb7
commit
d40ec4ab8e
@ -285,6 +285,19 @@ int dtls1_accept(SSL *s)
|
|||||||
ssl3_init_finished_mac(s);
|
ssl3_init_finished_mac(s);
|
||||||
s->state = SSL3_ST_SR_CLNT_HELLO_A;
|
s->state = SSL3_ST_SR_CLNT_HELLO_A;
|
||||||
s->ctx->stats.sess_accept++;
|
s->ctx->stats.sess_accept++;
|
||||||
|
} else if (!s->s3->send_connection_binding &&
|
||||||
|
!(s->options &
|
||||||
|
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
|
||||||
|
/*
|
||||||
|
* Server attempting to renegotiate with client that doesn't
|
||||||
|
* support secure renegotiation.
|
||||||
|
*/
|
||||||
|
SSLerr(SSL_F_DTLS1_ACCEPT,
|
||||||
|
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
||||||
|
ret = -1;
|
||||||
|
s->state = SSL_ST_ERR;
|
||||||
|
goto end;
|
||||||
} else {
|
} else {
|
||||||
/*
|
/*
|
||||||
* s->state == SSL_ST_RENEGOTIATE, we will just send a
|
* s->state == SSL_ST_RENEGOTIATE, we will just send a
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user