-
Notifications
You must be signed in to change notification settings - Fork 15k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: enable TLS renegotiation in node (#25041)
* fix: enable TLS renegotiation in node * Update .patches * update patches Co-authored-by: Jeremy Rose <nornagon@nornagon.net> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: Electron Bot <anonymous@electronjs.org>
- Loading branch information
1 parent
e16decd
commit f769da6
Showing
2 changed files
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Jeremy Rose <nornagon@nornagon.net> | ||
Date: Tue, 18 Aug 2020 09:51:46 -0700 | ||
Subject: fix: enable TLS renegotiation | ||
|
||
This configures BoringSSL to behave more similarly to OpenSSL. | ||
See https://github.com/electron/electron/issues/18380. | ||
|
||
This should be upstreamed. | ||
|
||
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc | ||
index 42b9469e38189f04745732afdeadd59e3ce6ad4c..f664f280d605a32d9f97121ab2816fab0fbe28c9 100644 | ||
--- a/src/tls_wrap.cc | ||
+++ b/src/tls_wrap.cc | ||
@@ -125,6 +125,12 @@ void TLSWrap::InitSSL() { | ||
// - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records | ||
SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY); | ||
|
||
+#ifdef OPENSSL_IS_BORINGSSL | ||
+ // OpenSSL allows renegotiation by default, but BoringSSL disables it. | ||
+ // Configure BoringSSL to match OpenSSL's behavior. | ||
+ SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); | ||
+#endif | ||
+ | ||
SSL_set_app_data(ssl_.get(), this); | ||
// Using InfoCallback isn't how we are supposed to check handshake progress: | ||
// https://github.com/openssl/openssl/issues/7199#issuecomment-420915993 |