| Index: net/socket/ssl_client_socket_impl.cc
|
| diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
|
| index c993fa8fb23da2d1d58c35731b3801a19283ff11..978a3018d73509e8ae1d09bd8a86972baadc5a3e 100644
|
| --- a/net/socket/ssl_client_socket_impl.cc
|
| +++ b/net/socket/ssl_client_socket_impl.cc
|
| @@ -1042,6 +1042,12 @@ int SSLClientSocketImpl::Init() {
|
| if (cert_verifier_->SupportsOCSPStapling())
|
| SSL_enable_ocsp_stapling(ssl_.get());
|
|
|
| + // Configure BoringSSL to allow renegotiations. Once the initial handshake
|
| + // completes, if renegotiations are not allowed, the default reject value will
|
| + // be restored. This is done in this order to permit a BoringSSL
|
| + // optimization. See https://crbug.com/boringssl/123.
|
| + SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
|
| +
|
| return OK;
|
| }
|
|
|
| @@ -1180,8 +1186,8 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
|
| SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len);
|
| set_signed_cert_timestamps_received(sct_list_len != 0);
|
|
|
| - if (IsRenegotiationAllowed())
|
| - SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
|
| + if (!IsRenegotiationAllowed())
|
| + SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never);
|
|
|
| uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get());
|
| if (signature_algorithm != 0) {
|
|
|
Chromium Code Reviews
Issue 2698113002:
Configure renegotiations on, then disable after the handshake. (Closed)
