commit 27a0d086f7bbf7076270dbeee5e65552eb2eab3a
author Adam Langley <agl@google.com> Tue Nov 03 13:34:10 2015 -0800
committer Adam Langley <agl@google.com> Tue Nov 03 21:58:13 2015 +0000
tree 00698a302fc48789c26acbb68fa6cf7a876f5f6f
parent fa9eb568b07597af5ff75dd2bb8204e40fbfea78

Add ssl_renegotiate_ignore.

This option causes clients to ignore HelloRequest messages completely.
This can be suitable in cases where a server tries to perform concurrent
application data and handshake flow, e.g. because they are trying to
“renew” symmetric keys.

Change-Id: I2779f7eff30d82163f2c34a625ec91dc34fab548
Reviewed-on: https://boringssl-review.googlesource.com/6431
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

include/openssl/ssl.h

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f9e0d85..79d7205 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2663,6 +2663,7 @@
   ssl_renegotiate_never = 0,
   ssl_renegotiate_once,
   ssl_renegotiate_freely,
+  ssl_renegotiate_ignore,
 };
 
 /* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to
@@ -2671,8 +2672,10 @@
  *
  * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
  * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
- * allow one renegotiation and |ssl_renegotiate_freely| to allow all
- * renegotiations.
+ * allow one renegotiation, |ssl_renegotiate_freely| to allow all
+ * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.
+ * Note that ignoring HelloRequest messages may cause the connection to stall
+ * if the server waits for the renegotiation to complete.
  *
  * There is no support in BoringSSL for initiating renegotiations as a client
  * or server. */