src: set SSL_OP_ALLOW_CLIENT_RENEGOTIATION

This commit sets SSL_OP_ALLOW_CLIENT_RENEGOTIATION for OpenSSL 3.0 as this option is not set by default as it was in previous versions. Without this option set there are a few tests that fail when linked against OpenSSl 3.0.0-alpha-17, for example test-https-client-renegotiation-limit.js. I'm not sure we should be setting this for OpenSSL 3.0 or not, but I'll take a closer look at the implications but if nothing else this would allow for us to update to alpha-17 in the mean time. PR-URL: #38753 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]>
nodejs · Jul 29, 2021 · 2cf52f8 · 2cf52f8
1 parent 20124cc
commit 2cf52f8
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -475,6 +475,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   // SSLv3 is disabled because it's susceptible to downgrade attacks (POODLE.)
   SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv3);
+#if OPENSSL_VERSION_MAJOR >= 3
+  SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
+#endif
 
   // Enable automatic cert chaining. This is enabled by default in OpenSSL, but
   // disabled by default in BoringSSL. Enable it explicitly to make the