Netty: OpenSslEngine should not call SSL_set_state
OpenSslEngine currently calls SSL_set_state(SSL_ST_ACCEPT) during the renegotiation process. The OpenSSL team has advised against this [1]. We should investigate and avoid calling SSL_ST_ACCEPT if possible.
[1] https://github.com/openssl/openssl/issues/2551#issuecomment-277644153
Scottmitch
All 5 comments
OpenSSL 1.1.0e cannot be used in netty-tcnative, because SSL_set_state no longer exists in OpenSSL since 1.1.0 (https://github.com/netty/netty-tcnative/issues/263).
Given that OpenSSL 1.1.1 (hopefully) supports TLS 1.3, it seems worth to remove usage of SSL_set_state.
snazy
on 6 Apr 2017
I don't know if this helps, but this is how apache tcnative does the renegotiation (in an older version): https://github.com/apache/tomcat-native/blob/043f95087f712595598901b7c5f915ca5fbf86d5/native/src/sslnetwork.c#L650
In the trunk they removed the SSL_set_state call completely: https://github.com/apache/tomcat-native/blob/trunk/native/src/sslnetwork.c#L632
nename0
on 7 Apr 2017
@Scottmitch I wonder if we should just remove the support for renegotiation as its risky business anyway. This would also allow us to just drop set_state usage and so support openssl 1.1.x.
WDYT ?
@carl-mastrangelo @ejona86 @nmittler WDYT as well?
normanmaurer
on 24 Oct 2017
+1
floragunn
on 24 Oct 2017
I honestly don't know enough to determine whether renegotiation is necessary or alternative approaches.
ejona86
on 28 Oct 2017
Related issues
pengzhengfa
路
3Comments
wilkinsona
路
5Comments
isdom
路
6Comments
lgengsy
路
6Comments
JuKu
路
4Comments
Most helpful comment
@Scottmitch I wonder if we should just remove the support for
renegotiationas its risky business anyway. This would also allow us to just dropset_stateusage and so support openssl 1.1.x.WDYT ?
@carl-mastrangelo @ejona86 @nmittler WDYT as well?