Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: enable TLS renegotiation in node (#25042)
* fix: enable TLS renegotiation in node * Update .patches * update patches Co-authored-by: Jeremy Rose <nornagon@nornagon.net> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: Electron Bot <anonymous@electronjs.org>
- Loading branch information
1 parent
0e7e4fe
commit cb2fa85
Showing
2 changed files
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Jeremy Rose <nornagon@nornagon.net> | ||
Date: Tue, 18 Aug 2020 09:51:46 -0700 | ||
Subject: fix: enable TLS renegotiation | ||
|
||
This configures BoringSSL to behave more similarly to OpenSSL. | ||
See https://github.com/electron/electron/issues/18380. | ||
|
||
This should be upstreamed. | ||
|
||
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc | ||
index 2d36c1a2654aa61460a112f59920ee5b2a01233f..cd2dd3d5ba7d53671163474bfe70634ac3c798f2 100644 | ||
--- a/src/tls_wrap.cc | ||
+++ b/src/tls_wrap.cc | ||
@@ -125,6 +125,12 @@ void TLSWrap::InitSSL() { | ||
// - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records | ||
SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY); | ||
|
||
+#ifdef OPENSSL_IS_BORINGSSL | ||
+ // OpenSSL allows renegotiation by default, but BoringSSL disables it. | ||
+ // Configure BoringSSL to match OpenSSL's behavior. | ||
+ SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); | ||
+#endif | ||
+ | ||
SSL_set_app_data(ssl_.get(), this); | ||
// Using InfoCallback isn't how we are supposed to check handshake progress: | ||
// https://github.com/openssl/openssl/issues/7199#issuecomment-420915993 |