Re: Force disable of SSL renegociation in the server

On Fri, May 21, 2021 at 10:41:34AM +0900, Michael Paquier wrote:
> This one can be set within ssl->s3->flags in the port information.
> Still that's not completely feasable either as some versions of
> OpenSSL hide the internals of a bunch of internal structures, and some
> distributions patch the upstream code? At the end of the day, I think
> that I would stick with simplicity and use SSL_OP_NO_RENEGOTIATION.
> It is not our job to go around any decision OpenSSL has poorly done
> either over the years. At least this part is officially documented :)

I got to look at that in details, and the attached would be able to do
the job with OpenSSL 1.0.2 and older versions. The main idea is to
set up SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS once the SSL object is
created when opening the TLS connection to business. I have tested
that down to 0.9.8 on all supported branches with the protocols we
support (heads up to ssl_min_protocol_version here), and that looks to
work as I'd expect.

It is not a good idea to rely on OPENSSL_VERSION_NUMBER for such
version checks as I am doing here, as we've been bitten with
compatibility with LibreSSL in the past. So this had better use a
check based on HAVE_OPENSSL_INIT_SSL to make sure that 1.1.0 is the
version of OpenSSL used. Anyway, I really don't like using this
undocumented option, and there is nothing that can be done with
OpenSSL < 1.1.0h in the 1.1.0 series as the s3 part of the *SSL object
gets hidden to the application, so it is not possible to set
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS there. And so, I would like to
stick with a backpatch here, only for the part of the patch involving
be_tls_init(). Full patch is attached for reference.

While on it, I have added a comment about TLSv1.2 being the last
protocol supporting renegotiation.

Any objections?
--
Michael