From 2cf52f8db1c8fe49e2f790148541b94146e532c6 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Thu, 20 May 2021 15:02:36 +0200 Subject: [PATCH] src: set SSL_OP_ALLOW_CLIENT_RENEGOTIATION This commit sets SSL_OP_ALLOW_CLIENT_RENEGOTIATION for OpenSSL 3.0 as this option is not set by default as it was in previous versions. Without this option set there are a few tests that fail when linked against OpenSSl 3.0.0-alpha-17, for example test-https-client-renegotiation-limit.js. I'm not sure we should be setting this for OpenSSL 3.0 or not, but I'll take a closer look at the implications but if nothing else this would allow for us to update to alpha-17 in the mean time. PR-URL: https://github.com/nodejs/node/pull/38753 Reviewed-By: Anna Henningsen Reviewed-By: James M Snell Reviewed-By: Richard Lau --- src/crypto/crypto_context.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc index 7eb17ee53475fb..c4f759c31d18cc 100644 --- a/src/crypto/crypto_context.cc +++ b/src/crypto/crypto_context.cc @@ -475,6 +475,9 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { // SSLv3 is disabled because it's susceptible to downgrade attacks (POODLE.) SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv2); SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv3); +#if OPENSSL_VERSION_MAJOR >= 3 + SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_ALLOW_CLIENT_RENEGOTIATION); +#endif // Enable automatic cert chaining. This is enabled by default in OpenSSL, but // disabled by default in BoringSSL. Enable it explicitly to make the