How to disable ssl renegotiation? #21666
-
Beta Was this translation helpful? Give feedback.
Replies: 19 comments 13 replies
-
Assuming you are using OpenSSL 1.1.1 or above then you should call https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html |
Beta Was this translation helpful? Give feedback.
-
pkg-config --cflags openssl openssl version When i compile my service, it report the following error:
what is the reason? |
Beta Was this translation helpful? Give feedback.
-
That is an entirely separate question - please raise a different issue for it. |
Beta Was this translation helpful? Give feedback.
-
When i issue my service to other machine using libssl.so.1.1, according to what you said
then i should call SSL_CTX_set_options with SSL_OP_NO_RENEGOTIATION? |
Beta Was this translation helpful? Give feedback.
-
Current problem is i have compiled my service successfullly in an openssl include directory(temporarily |
Beta Was this translation helpful? Give feedback.
-
If my openssl version is below 1.1.1, how to disable ssl regotiation? |
Beta Was this translation helpful? Give feedback.
-
It's not really properly supported or documented prior to that version. In 1.0.2 you should be able to do this:
But that will fail to compile in later versions. |
Beta Was this translation helpful? Give feedback.
-
I have done like this: static void dv_handshake_callback(const SSL *ssl, int type, int val) |
Beta Was this translation helpful? Give feedback.
-
Why do you need to set this via the info callback? Just set the flag after you create the SSL object. |
Beta Was this translation helpful? Give feedback.
-
I have replaced libssl.so.1.1 with libssl.so.1.0.0, it's ok. HEAD / HTTP/1.0 |
Beta Was this translation helpful? Give feedback.
-
You mean this? |
Beta Was this translation helpful? Give feedback.
-
No...I mean where ever you create the SSL object via SSL_new(). |
Beta Was this translation helpful? Give feedback.
-
After HEAD / HTTP/1.0 |
Beta Was this translation helpful? Give feedback.
-
were you able achieve disabling Renegotiation by setting ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS? |
Beta Was this translation helpful? Give feedback.
-
@deepakjain111 , i set it in both place. |
Beta Was this translation helpful? Give feedback.
-
@okayabc : It is not working if i set flag after SSL_New whereas if i set through callback function then it hung/block renegotiation request, that is, working. static void ssl_info_callback(const SSL *ssl, int what, int ret) Should we really set flag after SSL_New? P.S : i am using openssl 1.0.2 as well 1.1. |
Beta Was this translation helpful? Give feedback.
-
I can't think of a good reason why it wouldn't work at that point. I had a quick grep through the source and can't find a location where this flag might get reset. To test properly someone would have to put this through a debugger to figure out why it doesn't work. |
Beta Was this translation helpful? Give feedback.
-
Hey Everyone, I ran into the same issue, i.e. I can disable RENEGOTIATIONs when using a callback like the above 'ssl_info_callback()', but cannot disable it when setting the flag right after SSL_new(). Though I can disable RENEGOTIATIONs if I set the flag after SSL_accept(). So I created a debug build of OpenSSL_1_0_2-stable (12ad22d), and checked what resets the flag:
It is getting reset in SSL_accept(). |
Beta Was this translation helpful? Give feedback.
Hey Everyone,
I ran into the same issue, i.e. I can disable RENEGOTIATIONs when using a callback like the above 'ssl_info_callback()', but cannot disable it when setting the flag right after SSL_new(). Though I can disable RENEGOTIATIONs if I set the flag after SSL_accept().
So I created a debug build of OpenSSL_1_0_2-stable (12ad22d), and checked what resets the flag: