[openssl-users] Deactivation of client renegotiation particularily in OpenSSL 1.1.0

[Matt Caswell]

On 14/11/17 09:40, Marcus.Schafheutle at gmx.de wrote:
> Hello,
>  
> I am referring to the DoS via repeated SSL session renegotiations
> (http://kalilinuxtutorials.com/thc-ssl-dos/).
>  
> Prior to OpenSSL 1.1.0 the approach to deactivate client renegotiation
> was to set the corresponding flag via a
> callback function, e.g. :
> ---
> SSL *connection;
> ...
> connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
> ---
>  
> The problem now is, that this approach does not work for OpenSSL 1.1.0,
> because the "flags" are not accessible any longer.
> It also seems that there is no *_set_flags() function for deactivating
> client renegotiation.

Yes, you're right this doesn't work any more. There is no way to do this
in 1.1.0. Arguably this is a bug in 1.1.0 since we inadvertently removed
the capability to do this as part of the opacity changes. Actually in
master (1.1.1) the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS functionality has
been removed because it wasn't being used by anything. That may have
been a mistake.

> 1) How can the client-renegotiation in OpenSSL generally be deactivated,
> preferably without accessing internal data structures as in the approach
> above?

The only way we can solve this is by adding a new API. Generally those
are backported to stable releases. However if people agree this is a bug
as a result of the opacity changes then we should still be able to do it.

> 2) Is it possible in OpenSSL 1.1.0 to access attributes like "flags"
> above? It seems that there is no dedicated API function for that.

No - and I don't think we would want to do that anyway. The "flags"
really are an internal thing that you shouldn't be directly modifying
(even though that was the only API we provided for doing this in 1.0.2).

I opened a github issue for this:

https://github.com/openssl/openssl/issues/4739

Matt