From f0ef019da28a7b8ad81f65c2fbd2fcc9c88e5c52 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 27 Mar 2014 15:51:25 +0000 Subject: [PATCH] Add -no_resumption_on_reneg to SSL_CONF. (cherry picked from commit 1f44dac24d1cb752b1a06be9091bb03a88a8598e) --- apps/s_server.c | 7 ------- doc/ssl/SSL_CONF_cmd.pod | 7 +++++++ ssl/ssl_conf.c | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index f757f3caa1..eb3c866963 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1058,7 +1058,6 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; int rev = 0, naccept = -1; - int c_no_resumption_on_reneg = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -1183,10 +1182,6 @@ int MAIN(int argc, char *argv[]) c_auth = 1; } #endif - else if (strcmp(*argv, "-no_resumption_on_reneg") == 0) - { - c_no_resumption_on_reneg = 1; - } else if (strcmp(*argv,"-auth_require_reneg") == 0) { c_auth_require_reneg = 1; @@ -1963,8 +1958,6 @@ bad: } #endif - if (c_no_resumption_on_reneg) - SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index a8ab16875a..bbda10a76a 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -133,6 +133,10 @@ Use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B. Only used by servers. +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. + =item B<-legacyrenegotiation> permits the use of unsafe legacy renegotiation. Equivalent to setting @@ -292,6 +296,9 @@ determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B. Only used by servers. +B set +B flag. Only used by servers. + B permits the use of unsafe legacy renegotiation. Equivalent to B. diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 419400aa24..cdefd206a2 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -212,6 +212,7 @@ static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd) SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE), SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT), + SSL_FLAG_TBL_SRV("no_resumption_on_reneg", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT), SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT), #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL @@ -355,6 +356,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL("Bugs", SSL_OP_ALL), SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), + SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),