fix: enable TLS renegotiation in node (#25022)

This commit is contained in:
Jeremy Rose 2020-08-19 11:18:16 -07:00 committed by GitHub
parent 3313e00578
commit 9021843850
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 0 deletions

View file

@ -42,3 +42,4 @@ fix_do_not_register_the_esm_loader_in_renderer_processes.patch
fix_allow_preventing_setpromiserejectcallback.patch
lib_use_non-symbols_in_isurlinstance_check.patch
feat_add_implementation_of_v8_platform_postjob.patch
fix_enable_tls_renegotiation.patch

View file

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <nornagon@nornagon.net>
Date: Tue, 18 Aug 2020 09:51:46 -0700
Subject: fix: enable TLS renegotiation
This configures BoringSSL to behave more similarly to OpenSSL.
See https://github.com/electron/electron/issues/18380.
This should be upstreamed.
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index bb09ee99e070172a3764119cf85f3eef4d79df87..95bbc4c6a62ccf19a9d94a6afa4f2ce277c9bd4c 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -128,6 +128,12 @@ void TLSWrap::InitSSL() {
// - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records
SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY);
+#ifdef OPENSSL_IS_BORINGSSL
+ // OpenSSL allows renegotiation by default, but BoringSSL disables it.
+ // Configure BoringSSL to match OpenSSL's behavior.
+ SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
+#endif
+
SSL_set_app_data(ssl_.get(), this);
// Using InfoCallback isn't how we are supposed to check handshake progress:
// https://github.com/openssl/openssl/issues/7199#issuecomment-420915993