fix: enable TLS renegotiation in node (#25041)

* fix: enable TLS renegotiation in node * Update .patches * update patches Co-authored-by: Jeremy Rose <nornagon@nornagon.net> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: Electron Bot <anonymous@electronjs.org>
2026-04-10 03:01:51 -04:00 · 2020-08-19 19:35:47 -07:00
parent e16decd6a1
commit f769da64ad
2 changed files with 28 additions and 0 deletions
--- a/patches/node/.patches
+++ b/patches/node/.patches
@@ -42,3 +42,4 @@ tools_update_certdata_txt.patch
 crypto_update_root_certificates.patch
 darwin_work_around_clock_jumping_back_in_time.patch
 lib_use_non-symbols_in_isurlinstance_check.patch
+fix_enable_tls_renegotiation.patch
--- a/patches/node/fix_enable_tls_renegotiation.patch
+++ b/patches/node/fix_enable_tls_renegotiation.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jeremy Rose <nornagon@nornagon.net>
+Date: Tue, 18 Aug 2020 09:51:46 -0700
+Subject: fix: enable TLS renegotiation
+
+This configures BoringSSL to behave more similarly to OpenSSL.
+See https://github.com/electron/electron/issues/18380.
+
+This should be upstreamed.
+
+diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
+index 42b9469e38189f04745732afdeadd59e3ce6ad4c..f664f280d605a32d9f97121ab2816fab0fbe28c9 100644
+--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
+@@ -125,6 +125,12 @@ void TLSWrap::InitSSL() {
+   // - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records
+   SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY);
+ 
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL allows renegotiation by default, but BoringSSL disables it.
+  // Configure BoringSSL to match OpenSSL's behavior.
+  SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
+#endif
+
+   SSL_set_app_data(ssl_.get(), this);
+   // Using InfoCallback isn't how we are supposed to check handshake progress:
+   //   https://github.com/openssl/openssl/issues/7199#issuecomment-420915993