* Rich Salz *
+ * Client-initiated renegotiation is disabled by default. To allow it, use
+ the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+ flag, or the "ClientRenegotiation" config parameter as appropriate.
+
+ * Rich Salz *
+
* Add "abspath" and "includedir" pragma's to config files, to prevent,
or modify relative pathname inclusion.
OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
- OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
+ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
+ OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
OPT_S_PRIORITIZE_CHACHA, \
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
- OPT_S_MINPROTO, OPT_S_MAXPROTO, \
+ OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_IMMEDIATE_RENEG, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
# define OPT_S_OPTIONS \
{"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
"Enable use of legacy renegotiation (dangerous)"}, \
+ {"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
+ "Allow client-initiated renegotiation" }, \
{"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
"Disable all renegotiation."}, \
{"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
{"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
{"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
{"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
+ {"immediate_renegotiation", OPT_S_IMMEDIATE_RENEG, '-', \
+ "Immediately attempt renegotiation"}, \
{"record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to."}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \
+ case OPT_S_CLIENTRENEG: \
case OPT_S_LEGACYCONN: \
case OPT_S_ONRESUMP: \
case OPT_S_NOLEGACYCONN: \
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
const char *flag = sk_OPENSSL_STRING_value(str, i);
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
+
if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
- if (arg != NULL)
- BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
- flag, arg);
- else
- BIO_printf(bio_err, "Error with command: \"%s\"\n", flag);
+ BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n",
+ flag, arg == NULL ? "<NULL>" : arg);
ERR_print_errors(bio_err);
return 0;
}
case OPT_BRIEF:
c_brief = verify_args.quiet = c_quiet = 1;
break;
+ case OPT_S_IMMEDIATE_RENEG:
+ /* Option ignored on client. */
+ break;
case OPT_S_CASES:
if (ssl_args == NULL)
ssl_args = sk_OPENSSL_STRING_new_null();
tty_on = 1;
if (in_init) {
in_init = 0;
-
if (c_brief) {
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
print_ssl_summary(con);
static int s_nbio = 0;
static int s_nbio_test = 0;
static int s_crlf = 0;
+static int immediate_reneg = 0;
static SSL_CTX *ctx = NULL;
static SSL_CTX *ctx2 = NULL;
static int www = 0;
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
goto opthelp;
break;
+ case OPT_S_IMMEDIATE_RENEG:
+ immediate_reneg = 1;
+ break;
case OPT_S_CASES:
case OPT_S_NUM_TICKETS:
case OPT_ANTI_REPLAY:
} else {
do {
i = SSL_accept(con);
+ if (immediate_reneg)
+ SSL_renegotiate(con);
if (i <= 0)
retry = is_retryable(con, i);
signature algorithm or elliptic curve to use for an incoming connection.
Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
+=item B<-client_renegotiation>
+
+Allows servers to accept client-initiated renegotiation. Equivalent to
+setting B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION>.
+Only used by servers.
+
=item B<-legacyrenegotiation>
-permits the use of unsafe legacy renegotiation. Equivalent to setting
+Permits the use of unsafe legacy renegotiation. Equivalent to setting
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
=item B<-no_renegotiation>
=item B<-no_resumption_on_reneg>
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
+Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only used by servers.
=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
-permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
+Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
+=item B<-immediate_renegotiation>
+
+Try to do a renegotiation immediately after the handshake.
+This is for debugging and has no option equivalent.
+Ignored by the B<openssl s_client> command.
+
=item B<-prioritize_chacha>
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
=item B<-strict>
-enables strict mode protocol handling. Equivalent to setting
+Enables strict mode protocol handling. Equivalent to setting
B<SSL_CERT_FLAG_TLS_STRICT>.
=item B<-sigalgs> I<algs>
. "[B<-comp>]\n"
. "[B<-no_ticket>]\n"
. "[B<-serverpref>]\n"
+. "[B<-client_renegotiation>]\n"
. "[B<-legacy_renegotiation>]\n"
. "[B<-no_renegotiation>]\n"
. "[B<-no_resumption_on_reneg>]\n"
+. "[B<-immediate_renegotiation>]\n"
. "[B<-legacy_server_connect>]\n"
. "[B<-no_legacy_server_connect>]\n"
. "[B<-allow_no_dhe_kex>]\n"
. "[B<-no_middlebox>]";
$OpenSSL::safe::opt_s_item = ""
. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
+. "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+ SSL_FLAG_TBL("ClientRenegotiation",
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_CONF_CMD_SWITCH("no_ticket", 0),
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
+ SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
/* legacy_renegotiation */
{SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
+ /* Allow client renegotiation */
+ {SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0},
/* legacy_server_connect */
{SSL_OP_LEGACY_SERVER_CONNECT, 0},
/* no_renegotiation */
return s->key_update;
}
-int SSL_renegotiate(SSL *s)
+/*
+ * Can we accept a renegotiation request? If yes, set the flag and
+ * return 1 if yes. If not, raise error and return 0.
+ */
+static int can_renegotiate(const SSL *s)
{
if (SSL_IS_TLS13(s)) {
ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
return 0;
}
- if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
+ if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
return 0;
}
+ return 1;
+}
+
+int SSL_renegotiate(SSL *s)
+{
+ if (!can_renegotiate(s))
+ return 0;
+
s->renegotiate = 1;
s->new_session = 1;
-
return s->method->ssl_renegotiate(s);
}
int SSL_renegotiate_abbreviated(SSL *s)
{
- if (SSL_IS_TLS13(s)) {
- ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
+ if (!can_renegotiate(s))
return 0;
- }
-
- if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
- ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
- return 0;
- }
s->renegotiate = 1;
s->new_session = 0;
-
return s->method->ssl_renegotiate(s);
}
ext_len);
}
+#define RENEG_OPTIONS_OK(options) \
+ ((options & SSL_OP_NO_RENEGOTIATION) == 0 \
+ && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0)
+
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
{
/* |cookie| will only be initialized for DTLS. */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
- if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
+ if (!RENEG_OPTIONS_OK(s->options)
|| (!s->s3.send_connection_binding
&& (s->options
& SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
if (sctx != NULL) {
if (*sctx != NULL)
serverctx = *sctx;
- else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm)))
+ else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))
+ || !TEST_true(SSL_CTX_set_options(serverctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
}
plan skip_all => "$test_name needs TLS <= 1.2 enabled"
if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
+plan tests => 6;
+
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
undef,
#Test 1: A basic renegotiation test
$proxy->clientflags("-no_tls1_3");
+$proxy->serverflags("-client_renegotiation");
$proxy->reneg(1);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 4;
ok(TLSProxy::Message->success(), "Basic renegotiation");
#Test 2: Client does not send the Reneg SCSV. Reneg should fail
$proxy->clear();
$proxy->filter(\&reneg_filter);
$proxy->clientflags("-no_tls1_3");
+$proxy->serverflags("-client_renegotiation");
$proxy->reneg(1);
$proxy->start();
ok(TLSProxy::Message->fail(), "No client SCSV");
$proxy->filter(undef);
$proxy->ciphers("DEFAULT:\@SECLEVEL=0");
$proxy->clientflags("-no_tls1_3 -cipher AES128-SHA:\@SECLEVEL=0");
- $proxy->serverflags("-no_tls1_3 -no_tls1_2");
+ $proxy->serverflags("-no_tls1_3 -no_tls1_2 -client_renegotiation");
$proxy->reneg(1);
$proxy->start();
my $chversion;
$proxy->clear();
$proxy->filter(\&sigalgs_filter);
$proxy->clientflags("-tls1_2");
+ $proxy->serverflags("-client_renegotiation");
$proxy->reneg(1);
$proxy->start();
ok(TLSProxy::Message->fail(), "client_sig_algs instead of sig_algs");
}
+SKIP: {
+ skip "TLSv1.2 and TLSv1.1 disabled", 1
+ if disabled("tls1_2") && disabled("tls1_1");
+ #Test 5: Client fails to do renegotiation
+ $proxy->clear();
+ $proxy->filter(undef);
+ $proxy->serverflags("-no_tls1_3");
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->reneg(1);
+ $proxy->start();
+ ok(TLSProxy::Message->fail(),
+ "Check client renegotiation failed");
+}
+
+SKIP: {
+ skip "TLSv1.2 and TLSv1.1 disabled", 1
+ if disabled("tls1_2") && disabled("tls1_1");
+ #Test 6: Server can do renegotiation
+ $proxy->clear();
+ $proxy->filter(undef);
+ $proxy->serverflags("-no_tls1_3 -immediate_renegotiation");
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->start();
+ ok(TLSProxy::Message->success(),
+ "Check server renegotiation succeeded");
+}
+
sub reneg_filter
{
my $proxy = shift;
#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
+$proxy->serverflags("-client_renegotiation");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_options(server_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION))
+ || !TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
goto err;
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
if (!TEST_ptr(server2_ctx =
- SSL_CTX_new_ex(libctx, NULL, DTLS_server_method())))
+ SSL_CTX_new_ex(libctx, NULL, DTLS_server_method()))
+ || !TEST_true(SSL_CTX_set_options(server2_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method());
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_server_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))
+ || !TEST_true(SSL_CTX_set_options(resume_server_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_client_method());
#endif
server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))
+ || !TEST_true(SSL_CTX_set_options(server_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
if (!TEST_ptr(server2_ctx =
- SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
+ SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))
+ || !TEST_true(SSL_CTX_set_options(server2_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
maxversion)))
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_server_method());
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
- maxversion)))
+ maxversion))
+ || !TEST_true(SSL_CTX_set_options(resume_server_ctx,
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_client_method());