Can't prevent client renegotiation like you could 1.0.2

[mattcaswell]

This post to openssl-users points out that we have removed the ability to turn off client renegotiation as a result of the opacity work:

https://mta.openssl.org/pipermail/openssl-users/2017-November/006922.html

The text from that email:

I am referring to the DoS via repeated SSL session renegotiations (http://kalilinuxtutorials.com/thc-ssl-dos/).

Prior to OpenSSL 1.1.0 the approach to deactivate client renegotiation was to set the corresponding flag via a callback function, e.g. :

SSL *connection;
...
connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;

The problem now is, that this approach does not work for OpenSSL 1.1.0, because the "flags" are not accessible any longer.
It also seems that there is no *_set_flags() function for deactivating client renegotiation.

[mattcaswell]

We removed this flag from master in commit 0386aad. That may have been a mistake.

[t-j-h]

Do you plan to revert that commit that took out the flag?

[mattcaswell]

That seems like the right answer, but unfortunately the commit will not revert (too much has changed in the meantime). So it will have to be done "by hand". It's also not sufficient because the flag still won't be accessible, so we will need to introduce some new API (and probably back port it to 1.1.0).

[t-j-h]

Understood. I assume a PR will appear shortly from you that does both - and you will add both a setter and getter for the flags ... in the same PR or a separate one.

[mattcaswell]

Yes...but probably it will be specific to this particular flag rather than a general flag getter/setter. I think on the whole these flags are internal only and we don't want to expose them (but I will evaluate all of them).

[t-j-h]

I think differently - as if they are purely internal then why are they in ssl.h?
I don't see an issue with generic set/get ... but if you think all the flags are internal only then it would make sense to move them to an internal header file ... and provide separate functions for the logical items that should be able to be set and tested.

[kaduk]

We do have a generic "no renegotiation" SSL option that came in via #3432 -- I'm not sure I understand how this behavior is different from what is offered by that option.

[mattcaswell]

I think differently - as if they are purely internal then why are they in ssl.h?

They're in ssl.h from a time when everything was in ssl.h. We just forgot to remove them when we did the opacity work. We should probably remove them now because nothing can use those flags anyway.

[mattcaswell]

We do have a generic "no renegotiation" SSL option that came in via #3432 -- I'm not sure I understand how this behavior is different from what is offered by that option.

@kaduk - perhaps just backporting that functionality to 1.1.0 would be sufficient?

[tiran]

The issue came up on CPython's bug tracker, too, https://bugs.python.org/issue32257. I'd appreciate a backport to 1.1.0 and a recommended API for 1.0.2. The 1.0.2 flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is not documented and the callback approach is a hack (IMHO).

On Python's bug tracker @njsmith pointed out that disabled renegotiation is required for HTTP/2 servers by https://tools.ietf.org/html/rfc7540#section-9.2.1

A deployment of HTTP/2 over TLS 1.2 MUST disable renegotiation. An endpoint MUST treat a TLS renegotiation as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.

Right now there is no easy way to implement a HTTP/2 conform TLS server with OpenSSL. Apache mod_ssl works around the issue with some complicated code. The module tracks the state of the connection manually and uses a custom BIO (!) to abort the connection when a client sends a renegotiation request after application data has been sent.

[mattcaswell]

I agree that we should backport the SSL_OP_NO_RENEGOTIATION functionality to 1.1.0. That seems the most sensible way forward.

I'd appreciate a backport to 1.1.0 and a recommended API for 1.0.2. The 1.0.2 flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is not documented and the callback approach is a hack (IMHO).

I think its highly unlikely we will backport SSL_OP_NO_RENEGOTIATION to 1.0.2, so probably the only way to go is to use SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.