diff options
author | Matt Caswell <matt@openssl.org> | 2015-11-10 15:17:42 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-11-10 19:27:25 +0000 |
commit | 78b9d13474e843205307da96ef348868fe6d71bb (patch) | |
tree | 0fddcca7fd13ac9a40dff7757f99b74cb1774c9e | |
parent | e83009840af76d06a13192be69c2b273ac7e96a0 (diff) |
Stop DTLS servers asking for unsafe legacy renegotiation
If a DTLS client that does not support secure renegotiation connects to an
OpenSSL DTLS server then, by default, renegotiation is disabled. If a
server application attempts to initiate a renegotiation then OpenSSL is
supposed to prevent this. However due to a discrepancy between the TLS and
DTLS code, the server sends a HelloRequest anyway in DTLS.
This is not a security concern because the handshake will still fail later
in the process when the client responds with a ClientHello.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d40ec4ab8e7c0ff39bf4f9918fbb9dfdca4c5221)
-rw-r--r-- | ssl/d1_srvr.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index d716f0aca5..f01b8a693f 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -267,6 +267,19 @@ int dtls1_accept(SSL *s) ssl3_init_finished_mac(s); s->state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; + } else if (!s->s3->send_connection_binding && + !(s->options & + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + /* + * Server attempting to renegotiate with client that doesn't + * support secure renegotiation. + */ + SSLerr(SSL_F_DTLS1_ACCEPT, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + ret = -1; + s->state = SSL_ST_ERR; + goto end; } else { /* * s->state == SSL_ST_RENEGOTIATE, we will just send a |