]> ruderich.org/simon Gitweb - tlsproxy/tlsproxy.git/blobdiff - src/connection.c
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Allow rehandshakes for server connections.
[tlsproxy/tlsproxy.git] / src / connection.c
diff --git a/src/connection.c b/src/connection.c
index 15eb321d811965d4f0b1a71c72659fb500a3d5ea..1fbbae57831f1464109380b4e5339df09e72710c 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -785,6 +785,18 @@ static int read_from_write_to_tls(gnutls_session_t from,
 
     size_read = gnutls_record_recv(from, buffer, buffer_size);
     if (size_read < 0) {
+        /* Allow rehandshakes. As handshakes might be insecure make sure that
+         * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+        if (size_read == GNUTLS_E_REHANDSHAKE) {
+            int result = gnutls_handshake(from);
+            if (result != GNUTLS_E_SUCCESS) {
+                LOG(WARNING, "server TLS rehandshake failed: %s",
+                             gnutls_strerror(result));
+                return -1;
+            }
+            return 0;
+        }
+
         LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
                      gnutls_strerror((int)size_read));
         return -1;
Certificate verifying tlsproxy, prevents MITMs by (manipulated) CAs by verifying the server certificate.