From 55ce9f0a9991527dc9a7c09ee03446c3a7c48e93 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 18 Aug 2013 14:27:14 +0200 Subject: [PATCH] Allow rehandshakes for server connections. --- NEWS | 2 ++ src/connection.c | 12 ++++++++++++ src/tlsproxy.h | 7 ++++++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 9735d13..3f3c663 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,8 @@ NEWS - Add -a option, authentication for tlsproxy via basic digest authentication. - Add new debug level (-d 3) for even more debug output, including information about the current TLS session. +- Allow rehandshakes for server connections (%SAFE_RENEGOTIATION is forced to + prevent issues). - Use pre-generated Diffie-Hellman parameters in proxy-dh.pem. - Code cleanup. - Better error handling. diff --git a/src/connection.c b/src/connection.c index 15eb321..1fbbae5 100644 --- a/src/connection.c +++ b/src/connection.c @@ -785,6 +785,18 @@ static int read_from_write_to_tls(gnutls_session_t from, size_read = gnutls_record_recv(from, buffer, buffer_size); if (size_read < 0) { + /* Allow rehandshakes. As handshakes might be insecure make sure that + * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */ + if (size_read == GNUTLS_E_REHANDSHAKE) { + int result = gnutls_handshake(from); + if (result != GNUTLS_E_SUCCESS) { + LOG(WARNING, "server TLS rehandshake failed: %s", + gnutls_strerror(result)); + return -1; + } + return 0; + } + LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s", gnutls_strerror((int)size_read)); return -1; diff --git a/src/tlsproxy.h b/src/tlsproxy.h index 33df814..4664428 100644 --- a/src/tlsproxy.h +++ b/src/tlsproxy.h @@ -55,7 +55,12 @@ /* Don't use known insecure algorithms. */ \ "SECURE" \ /* Lower priority of SHA-1, user better hashes if possible. */ \ - ":-SHA1:+SHA1" + ":-SHA1:+SHA1" \ + /* Force safe renegotiations. Shouldn't cause any problems as this \ + * option only affects the server side (with GnuTLS defaults) and the \ + * local clients most-likely already support safe renegotiations (old \ + * servers are therefore not an issue). */ \ + ":%SAFE_RENEGOTIATION" /* Proxy hostname and port if specified on the command line. */ -- 2.45.2