28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Jeremy Rose <nornagon@nornagon.net>
|
||
|
|
Date: Tue, 18 Aug 2020 09:51:46 -0700
|
||
|
|
Subject: fix: enable TLS renegotiation
|
||
|
|
|
||
|
|
This configures BoringSSL to behave more similarly to OpenSSL.
|
||
|
|
See https://github.com/electron/electron/issues/18380.
|
||
|
|
|
||
|
|
This should be upstreamed.
|
||
|
|
|
||
|
|
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
|
||
|
|
index bb09ee99e070172a3764119cf85f3eef4d79df87..95bbc4c6a62ccf19a9d94a6afa4f2ce277c9bd4c 100644
|
||
|
|
--- a/src/tls_wrap.cc
|
||
|
|
+++ b/src/tls_wrap.cc
|
||
|
|
@@ -128,6 +128,12 @@ void TLSWrap::InitSSL() {
|
||
|
|
// - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records
|
||
|
|
SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY);
|
||
|
|
|
||
|
|
+#ifdef OPENSSL_IS_BORINGSSL
|
||
|
|
+ // OpenSSL allows renegotiation by default, but BoringSSL disables it.
|
||
|
|
+ // Configure BoringSSL to match OpenSSL's behavior.
|
||
|
|
+ SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
|
||
|
|
+#endif
|
||
|
|
+
|
||
|
|
SSL_set_app_data(ssl_.get(), this);
|
||
|
|
// Using InfoCallback isn't how we are supposed to check handshake progress:
|
||
|
|
// https://github.com/openssl/openssl/issues/7199#issuecomment-420915993
|