[squid-dev] [PATCH] TLS: Disable client-initiated renegotiation
Amos Jeffries
squid3 at treenet.co.nz
Sun Jun 28 11:36:46 UTC 2015
On 19/06/2015 8:35 p.m., Tsantilas Christos wrote:
> This patch, probably is ok as workarround, but my sense is that it is
> not the best method to fix it. We should spent some hours of work to
> check openSSL versions has the problem, and apply a better solution.
>
Up to you. Though I'm not sure there is a better one.
The nature of the renegotiation is that its fine to do before the first
handshake, but not afterwards. Which implies a callback on handshake
completion is the best way to set the flag.
The #if protection I requested ensures the whole mechanism is not even
built if OpenSSL does not support the flag. Which should eliminate the
libraries that dont need it without us having to identify them
individually (including LibreSSL etc.).
Amos
More information about the squid-dev
mailing list