Only disable cert chaining on the first TLS handshake

If the client uses a v2 cipherlist on the renegotiation handshake, it looks as if they could fail to get a good cert chain from the server, since they server would re-disable certificate chaining. This patch makes it so the code that make the server side of the first v2 handshake special can get called only once. Fix for 4591; bugfix on 0.2.0.20-rc.
2024-11-10 21:23:58 +01:00 · 2012-04-27 12:13:56 -04:00 · 2012-04-27 12:13:56 -04:00 · f0212197cc
commit f0212197cc
parent f6afd4efa6
2 changed files with 9 additions and 1 deletions
--- a/changes/bug4591
+++ b/changes/bug4591
@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - If the client fails to set a reasonable set of ciphersuites
+      during its v2 handshake renegotiation, allow the renegotiation
+      to continue nevertheless (i.e., send all the required
+      certificates). Fix for bug 4591; bugfix on 0.2.0.20-rc.
+
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -965,7 +965,9 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)

  /* Now check the cipher list. */
  if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) {
-    /*XXXX_TLS keep this from happening more than once! */
+    if (tls->wasV2Handshake)
+      return; /* We already turned this stuff off for the first handshake;
+               * This is a renegotiation. */

    /* Yes, we're casting away the const from ssl.  This is very naughty of us.
     * Let's hope openssl doesn't notice! */