-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable TLS renegotiation and fix compile error on OpenBSD #9943
base: master
Are you sure you want to change the base?
Conversation
ok with me! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have absolutely no clue about OpenBSD, but how do you turn off tls renegotiation then?
That's the neat part, you don't! It's already the default. https://github.com/libressl/portable/blob/68ad61fd6d199607af327188c2dad0779f98fa46/ChangeLog#L2316-L2318 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤷
lib/base/tlsutility.cpp
Outdated
# ifdef SSL_OP_NO_RENEGOTIATION | ||
flags |= SSL_OP_NO_RENEGOTIATION; | ||
# endif /* SSL_OP_NO_RENEGOTIATION */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there some macro that could be used to detect LibreSSL? If OpenSSL would change something with SSL_OP_NO_RENEGOTIATION
(something like rename it in v4, I hope they don't, but they probably could), this could would probably still compile but I'd argue that this would be a situation someone should look into, so it would be better if we check for the library we're writing this for rather than the existence of some constant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be both LIBRESSL_VERSION_NUMBER
and LIBRESSL_VERSION_TEXT
as described in OPENSSL_VERSION_NUMBER(3). (Note: man.openbsd.org has currently operational difficulties, that's why this man mirror was used)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normally we'd suggest not checking based on library name/version.
The same concern would apply to pretty much any other change that openssl could conceivably make to their API...
a73b724
to
1b3be52
Compare
Actually, despite what I thought, v2.14.0 from ports allows renegotiation by default:
However with
under patches/:
|
@sthen Ok?