pike.git / lib / modules / SSL.pmod / Connection.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Connection.pike:1029:    "Zero length Handshake fragments not allowed.\n");       // Don't allow renegotiation in unsecure mode, to address    // http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555.    // For details see: http://www.g-sec.lu/practicaltls.pdf and    // RFC 5746.    COND_FATAL(!(state & CONNECTION_handshaking) &&    !secure_renegotiation, ALERT_no_renegotiation,    "Renegotiation not supported in unsecure mode.\n");    +  COND_FATAL(!(state & CONNECTION_handshaking) && +  !context->enable_renegotiation, ALERT_no_renegotiation, +  "Renegotiation disabled by context.\n"); +     /* No change_cipher message was received */    // FIXME: There's a bug somewhere since expect_change_cipher    // often remains set after the handshake is completed. The    // effect is that renegotiation doesn't work all the time.    //    // A side effect is that we are partly invulnerable to the    // renegotiation vulnerability mentioned above. It is however    // not safe to assume that, since there might be routes past    // this, maybe through the use of a version 2 hello message    // below.