Author njs
Recipients christian.heimes, chuq, njs
Date 2017-12-10.20:21:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1512937286.84.0.213398074469.issue32257@psf.upfronthosting.co.za>
In-reply-to
Content
It looks like openssl master has SSL_OP_NO_RENEGOTIATION: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html

Before that, I guess one could use SSL_CTX_sess_{connect,accept}_renegotiate to detect when a renegotiation has occurred and then error out? Admittedly this is more effective in nonblocking or memorybio mode. Or you could do something similar with the info callback: allow the current operation to succeed, but mark the connection as "poisoned". (Heck, in socket bio mode you could flat out close the socket. That'll shut things down.)

For bonus annoyance, note that RFC 7240 does allow implementations to support renegotiation that happens before any data is exchanged, to allow for the encrypted client cert hack.
History
Date User Action Args
2017-12-10 20:21:26njssetrecipients: + njs, christian.heimes, chuq
2017-12-10 20:21:26njssetmessageid: <1512937286.84.0.213398074469.issue32257@psf.upfronthosting.co.za>
2017-12-10 20:21:26njslinkissue32257 messages
2017-12-10 20:21:26njscreate