Stop DTLS servers asking for unsafe legacy renegotiation

If a DTLS client that does not support secure renegotiation connects to an OpenSSL DTLS server then, by default, renegotiation is disabled. If a server application attempts to initiate a renegotiation then OpenSSL is supposed to prevent this. However due to a discrepancy between the TLS and DTLS code, the server sends a HelloRequest anyway in DTLS. This is not a security concern because the handshake will still fail later in the process when the client responds with a ClientHello. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit d40ec4ab8e)
2015-11-10 15:17:42 +00:00 · 2015-11-10 15:17:42 +00:00 · 78b9d13474
commit 78b9d13474
parent e83009840a
1 changed files with 13 additions and 0 deletions
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@ -267,6 +267,19 @@ int dtls1_accept(SSL *s)
                ssl3_init_finished_mac(s);
                s->state = SSL3_ST_SR_CLNT_HELLO_A;
                s->ctx->stats.sess_accept++;
+            } else if (!s->s3->send_connection_binding &&
+                       !(s->options &
+                         SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+                /*
+                 * Server attempting to renegotiate with client that doesn't
+                 * support secure renegotiation.
+                 */
+                SSLerr(SSL_F_DTLS1_ACCEPT,
+                       SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
            } else {
                /*
                 * s->state == SSL_ST_RENEGOTIATE, we will just send a