1 files changed, 28 insertions, 6 deletions

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index c2ec048..443eac4 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -844,6 +844,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
     }
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+    /* For server-side SSL_CTX, disable renegotiation by default.. */
+    if (!mctx->pkp) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
+    }
+#endif
+
 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
     /* For server-side SSL_CTX, enable ignoring unexpected EOF */
     /* (OpenSSL 1.1.1 behavioural compatibility).. */
@@ -872,6 +879,14 @@ static void ssl_init_ctx_session_cache(server_rec *s,
     }
 }
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+/* OpenSSL-level renegotiation protection. */
+#define MODSSL_BLOCKS_RENEG (0)
+#else
+/* mod_ssl-level renegotiation protection. */
+#define MODSSL_BLOCKS_RENEG (1)
+#endif
+
 static void ssl_init_ctx_callbacks(server_rec *s,
                                    apr_pool_t *p,
                                    apr_pool_t *ptemp,
@@ -885,7 +900,13 @@ static void ssl_init_ctx_callbacks(server_rec *s,
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 #endif
 
-    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+    /* The info callback is used for debug-level tracing.  For OpenSSL
+     * versions where SSL_OP_NO_RENEGOTIATION is not available, the
+     * callback is also used to prevent use of client-initiated
+     * renegotiation.  Enable it in either case. */
+    if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) {
+        SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+    }
 
 #ifdef HAVE_TLS_ALPN
     SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
@@ -1346,6 +1367,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     EVP_PKEY *pkey;
+    int custom_dh_done = 0;
 #ifdef HAVE_ECC
     EC_GROUP *ecgroup = NULL;
     int curve_nid = 0;
@@ -1518,14 +1540,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)) {
-        int done = 0, num_bits = 0;
+        int num_bits = 0;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
         DH *dh = modssl_dh_from_file(certfile);
         if (dh) {
             num_bits = DH_bits(dh);
             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
             DH_free(dh);
-            done = 1;
+            custom_dh_done = 1;
         }
 #else
         pkey = modssl_dh_pkey_from_file(certfile);
@@ -1535,18 +1557,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                 EVP_PKEY_free(pkey);
             }
             else {
-                done = 1;
+                custom_dh_done = 1;
             }
         }
 #endif
-        if (done) {
+        if (custom_dh_done) {
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                          "Custom DH parameters (%d bits) for %s loaded from %s",
                          num_bits, vhost_id, certfile);
         }
     }
 #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-    else {
+    if (!custom_dh_done) {
         /* If no parameter is manually configured, enable auto
          * selection. */
         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);