)]}' { "commit": "d0996af5c7faa06cc20496f689d9e5844968993f", "tree": "e564cbc8b3e05a1cfc9eb94d9ea57a31ad1fec6a", "parents": [ "761bc39b4d1954f1b3632f4e308e554ca64ef019" ], "author": { "name": "Sergey Kandaurov", "email": "pluknet@nginx.com", "time": "Tue Apr 18 16:08:44 2017 +0300" }, "committer": { "name": "Sergey Kandaurov", "email": "pluknet@nginx.com", "time": "Tue Apr 18 16:08:44 2017 +0300" }, "message": "SSL: disabled renegotiation detection in client mode.\n\nCVE-2009-3555 is no longer relevant and mitigated by the renegotiation\ninfo extension (secure renegotiation). On the other hand, unexpected\nrenegotiation still introduces potential security risks, and hence we do\nnot allow renegotiation on the server side, as we never request renegotiation.\n\nOn the client side the situation is different though. There are backends\nwhich explicitly request renegotiation, and disabled renegotiation\nintroduces interoperability problems. This change allows renegotiation\non the client side, and fixes interoperability problems as observed with\nsuch backends (ticket #872).\n\nAdditionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set\nby OpenSSL when receiving a NewSessionTicket message, and was detected by\nnginx as a renegotiation attempt. This looks like a bug in OpenSSL, though\nthis change also allows better interoperability till the problem is fixed.\n", "tree_diff": [ { "type": "modify", "old_id": "eb418314da2ef729a15b2c9615024993ab3eb26a", "old_mode": 33188, "old_path": "src/event/ngx_event_openssl.c", "new_id": "148705cccff085eea516f3773ba0f70aa7a19fc0", "new_mode": 33188, "new_path": "src/event/ngx_event_openssl.c" }, { "type": "modify", "old_id": "607ee90116e946faf881b98a87224c4236398721", "old_mode": 33188, "old_path": "src/event/ngx_event_openssl.h", "new_id": "2a149802b1dee2d6ac5868c2866f2d78eb78a066", "new_mode": 33188, "new_path": "src/event/ngx_event_openssl.h" } ] }