SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option. The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1. Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated renegotiation, and hence can be safely used on all SSL contexts.

commit: 1e1de5c92be3726da5c416179beb1f551c8fd32e [log] [tgz]
author: Maxim Dounin <mdounin@mdounin.ru> Sun Mar 03 16:49:02 2019 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> Sun Mar 03 16:49:02 2019 +0300
tree: 23572cae2a35feaaf3eae6d20d341fd8366fa439
parent: 1bc7b0a01ba744f871b8e60c8b78600d42586a70 [diff]
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index e18480c..987b381 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c

@@ -368,6 +368,10 @@
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
 #endif
 
+#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+#endif
+
 #ifdef SSL_MODE_RELEASE_BUFFERS
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
commit	1e1de5c92be3726da5c416179beb1f551c8fd32e	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Sun Mar 03 16:49:02 2019 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	Sun Mar 03 16:49:02 2019 +0300
tree	23572cae2a35feaaf3eae6d20d341fd8366fa439
parent	1bc7b0a01ba744f871b8e60c8b78600d42586a70 [diff]