Closed danez closed 10 years ago
Fix committed 1509c90
Wow, thanks, that was fast. Gonna try it now. -Works perfectly.
It appears that the fix does not mitigate the threat at all because libevent steals handshake packets and we have no way to drop connection in our callback. The proper fix would be use the libevent filter-based openssl bufferevent and check the renegotiation on underlying bufferevent (but I have to see this can be feasible).
All right, I made several commits to solve this issue.
Thanks
I just read this and noticed, that shrpx still supports client renegotiation. It would be nice to have the possibility to disable this (should be disabled by default), or disable it at all. All major webservers (apache, nginx) have this disabled completely.
Here for example is the patch that disabled Client Renegotiation for nginx.