Skip to content

Commit

Permalink
src: set SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Browse files Browse the repository at this point in the history
This commit sets SSL_OP_ALLOW_CLIENT_RENEGOTIATION for OpenSSL 3.0 as
this option is not set by default as it was in  previous versions.

Without this option set there are a few tests that fail when linked
against OpenSSl 3.0.0-alpha-17, for example
test-https-client-renegotiation-limit.js.

I'm not sure we should be setting this for OpenSSL 3.0 or not, but
I'll take a closer look at the implications but if nothing else this
would allow for us to update to alpha-17 in the mean time.

PR-URL: #38753
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
  • Loading branch information
danbev authored and nodejs-github-bot committed Jul 16, 2021
1 parent 1efa8fe commit 44e3822
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/crypto/crypto_context.cc
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
// SSLv3 is disabled because it's susceptible to downgrade attacks (POODLE.)
SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv2);
SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv3);
#if OPENSSL_VERSION_MAJOR >= 3
SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
#endif

// Enable automatic cert chaining. This is enabled by default in OpenSSL, but
// disabled by default in BoringSSL. Enable it explicitly to make the
Expand Down

0 comments on commit 44e3822

Please sign in to comment.