Disable SSL Client Renegotiation in shrpx

tatsuhiro-t / spdylay

The experimental SPDY protocol version 2, 3 and 3.1 implementation in C

http://tatsuhiro-t.github.io/spdylay/

MIT License

604 stars 102 forks source link

Disable SSL Client Renegotiation in shrpx #104

Closed danez closed 10 years ago

danez commented 10 years ago

I just read this and noticed, that shrpx still supports client renegotiation. It would be nice to have the possibility to disable this (should be disabled by default), or disable it at all. All major webservers (apache, nginx) have this disabled completely.

Here for example is the patch that disabled Client Renegotiation for nginx.

tatsuhiro-t commented 10 years ago

Fix committed 1509c90

danez commented 10 years ago

Wow, thanks, that was fast. Gonna try it now. -Works perfectly.

tatsuhiro-t commented 10 years ago

It appears that the fix does not mitigate the threat at all because libevent steals handshake packets and we have no way to drop connection in our callback. The proper fix would be use the libevent filter-based openssl bufferevent and check the renegotiation on underlying bufferevent (but I have to see this can be feasible).

tatsuhiro-t commented 10 years ago

All right, I made several commits to solve this issue.

danez commented 10 years ago

Thanks