netty5

History

Chris West e24e06bfcb OpenSslEngine: Remove renegotiation support Motivation: SSL.setState() has gone from openssl 1.1. Calling it is, and probably always has been, incorrect. Doing renogitation in this manner is potentially insecure. There have been at least two insecure renegotiation vulnerabilities in users of the OpenSSL library. Renegotiation is not necessary for correct operation of the TLS protocol. BoringSSL has already eliminated this functionality, and the tests (now deleted) were not running on BoringSSL. Modifications: If the connection setup has completed, always return that negotiation is not supported. Previously this was done only if we were the client. Remove the tests for this functionality. Fixes #6320.	2018-01-02 13:00:11 -05:00
..
src	OpenSslEngine: Remove renegotiation support	2018-01-02 13:00:11 -05:00
pom.xml	[maven-release-plugin] prepare for next development iteration	2017-12-15 13:10:54 +00:00

Chris West e24e06bfcb OpenSslEngine: Remove renegotiation support

Motivation:

SSL.setState() has gone from openssl 1.1. Calling it is, and probably
always has been, incorrect. Doing renogitation in this manner is
potentially insecure. There have been at least two insecure
renegotiation vulnerabilities in users of the OpenSSL library.

Renegotiation is not necessary for correct operation of the TLS protocol.

BoringSSL has already eliminated this functionality, and the tests
(now deleted) were not running on BoringSSL.

Modifications:

If the connection setup has completed, always return that
negotiation is not supported. Previously this was done only if we were
the client.

Remove the tests for this functionality.

Fixes #6320.

2018-01-02 13:00:11 -05:00

src

OpenSslEngine: Remove renegotiation support

2018-01-02 13:00:11 -05:00

pom.xml

[maven-release-plugin] prepare for next development iteration

2017-12-15 13:10:54 +00:00