我有一个用 C++ 编写的客户端服务器应用程序,使用 SSL 1.0.1n 进行套接字通信。我试图防止重新谈判(这是一项要求)。我的代码中没有任何地方启动重新协商。 我看到 openssl 有一个 BIO_set_ssl_renegotiate_bytes 和 BIO_set_ssl_renegotiate_timeout 允许您在读取一定数量的字节或超时后设置自动重新协商。 我的问题是,如果我不为其中任何一个设置值,它们是否具有默认值,SSL 仍会自动启动重新协商?如果不是在代码中完成,我无法弄清楚是什么导致重新协商。
最佳答案
我正试图阻止重新协商(这是一项要求)
希望该要求不是对 CVE-2009-3555 的回应.这已在 OpenSSL 0.9.8k in Nov 2009 中修复. TLSv1.1 及更高版本的协议(protocol)从未受到该漏洞的影响。
但是,您仍然可以 set the SSL_OP_NO_RENEGOTIATION
option via SSL_CTX_set_options()
or SSL_set_options
:
SSL_CTX_set_options
NAME
SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
SYNOPSIS
#include <openssl/ssl.h> long SSL_CTX_set_options(SSL_CTX *ctx, long options); long SSL_set_options(SSL *ssl, long options); long SSL_CTX_clear_options(SSL_CTX *ctx, long options); long SSL_clear_options(SSL *ssl, long options); long SSL_CTX_get_options(SSL_CTX *ctx); long SSL_get_options(SSL *ssl); long SSL_get_secure_renegotiation_support(SSL *ssl);
DESCRIPTION
SSL_CTX_set_options() adds the options set via bitmask in options to ctx. Options already set before are not cleared!
SSL_set_options() adds the options set via bitmask in options to ssl. Options already set before are not cleared!
SSL_CTX_clear_options() clears the options set via bitmask in options to ctx.
SSL_clear_options() clears the options set via bitmask in options to ssl.
SSL_CTX_get_options() returns the options set for ctx.
SSL_get_options() returns the options set for ssl.
SSL_get_secure_renegotiation_support() indicates whether the peer supports secure renegotiation. Note, this is implemented via a macro. NOTES
The behaviour of the SSL library can be changed by setting several options. The options are coded as bitmasks and can be combined by a bitwise or operation (|).
SSL_CTX_set_options() and SSL_set_options() affect the (external) protocol behaviour of the SSL library. The (internal) behaviour of the API can be changed by using the similar SSL_CTX_set_mode and SSL_set_mode() functions.
During a handshake, the option settings of the SSL object are used. When a new SSL object is created from a context using SSL_new(), the current option setting is copied. Changes to ctx do not affect already created SSL objects. SSL_clear() does not affect the settings.
...
The following modifying options are available:
...
SSL_OP_NO_RENEGOTIATION
Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest messages, and ignore renegotiation requests via ClientHello.
SECURE RENEGOTIATION
...
请注意,该页面有一个“SECURE RENEGOTIAION”部分。阅读它。
然后,您确实需要审查您的要求。他们很有可能已经过时十年了。让您花时间和精力解决十年前解决的问题,您就不会花时间和精力来解决当前的问题。
关于c++ - SSL是否执行自动重新协商,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54733915/