TLS: Default secure renegotiation compatability

By default this change will have servers send the renegotiation info extension, but not allow renegotiation. This is accordance with RFC 5746 From to RFC 5746: > In order to enable clients to probe, even servers that do not support > renegotiation MUST implement the minimal version of the extension > described in this document for initial handshakes, thus signaling > that they have been upgraded. With openSSL 3.0 the default it not allow connections to servers without secure renegotiation extension. See https://github.com/openssl/openssl/pull/15127
2026-02-04 01:25:04 +01:00 · 2022-01-10 15:55:37 -08:00
parent abc9b7197d
commit efe2cea8d1
6 changed files with 36 additions and 8 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -31371,7 +31371,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
 #ifndef WOLFSSL_NO_TLS12

 #if defined(HAVE_SECURE_RENEGOTIATION) && \
-    defined(HAVE_SERVER_RENEGOTIATION_INFO) && \
    !defined(WOLFSSL_NO_SERVER)

    /* handle generation of server's hello_request (0) */
@@ -31440,7 +31439,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
        return ret;
    }

-#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_SERVER_RENEGOTIATION_INFO */
+#endif /* HAVE_SECURE_RENEGOTIATION && !WOLFSSL_NO_SERVER */

 #ifdef WOLFSSL_DTLS
    /* handle generation of DTLS hello_verify_request (3) */
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -2863,7 +2863,7 @@ int wolfSSL_ALPN_FreePeerProtocol(WOLFSSL* ssl, char **list)
 #endif /* HAVE_ALPN */

 /* Secure Renegotiation */
-#ifdef HAVE_SECURE_RENEGOTIATION
+#ifdef HAVE_SERVER_RENEGOTIATION_INFO

 /* user is forcing ability to use secure renegotiation, we discourage it */
 int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl)
@@ -2954,7 +2954,7 @@ static int _Rehandshake(WOLFSSL* ssl)

        ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;

-#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SERVER_RENEGOTIATION_INFO)
+#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SECURE_RENEGOTIATION)
        if (ssl->options.side == WOLFSSL_SERVER_END) {
            ret = SendHelloRequest(ssl);
            if (ret != 0) {
@@ -3041,7 +3041,7 @@ long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl)
    return ssl->secure_renegotiation->enabled;
 }

-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* HAVE_SECURE_RENEGOTIATION_INFO */

 #if defined(HAVE_SESSION_TICKET)
 /* Session Ticket */