[nginx] SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.

Thu Dec 18 17:09:44 UTC 2014

details:   http://hg.nginx.org/nginx/rev/ee941e49bd88
branches:  
changeset: 5946:ee941e49bd88
user:      Lukas Tribus <luky-37 at hotmail.com>
date:      Wed Dec 17 15:12:50 2014 +0100
description:
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.

The flag was recently removed by BoringSSL.

diffstat:

 src/event/ngx_event_openssl.c |  4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diffs (19 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1146,11 +1146,15 @@ ngx_ssl_handshake(ngx_connection_t *c)
         c->recv_chain = ngx_ssl_recv_chain;
         c->send_chain = ngx_ssl_send_chain;
 
+#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+
         /* initial handshake done, disable renegotiation (CVE-2009-3555) */
         if (c->ssl->connection->s3) {
             c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
         }
 
+#endif
+
         return NGX_OK;
     }
 

