Skip to content

Add a runtime option to enable or disable the secure renegotiation check. #9596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kareem-wolfssl wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add a runtime option to enable or disable the secure renegotiation check. #9596

kareem-wolfssl wants to merge 4 commits into from
+227 −2

Conversation

@kareem-wolfssl
Copy link
Contributor

@kareem-wolfssl kareem-wolfssl commented Dec 30, 2025
edited
Loading

Description

Send no_renegotiation alert when rejecting renegotation attempt due to renegotiation being disabled as defined in RFC 5246 section 7.2.2.
Fixes zd#19378

Testing

Built in tests

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl self-assigned this Dec 30, 2025
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Dec 30, 2025

🛟 Devin Lifeguard found 2 likely issues in this PR

  • use-c-style-comments snippet: Replace the “// SCR check is enabled” (and similar) lines in the code examples with C-style comments, e.g. “/* SCR check is enabled */”.
  • declare-const-pointers snippet snippet: Change wolfSSL_get_scr_check_enabled signature to int wolfSSL_get_scr_check_enabled(const WOLFSSL* ssl) (and similarly make the ssl and ctx parameters in test_SCR_check_remove_ext_io_cb const) since they are not modified within the functions.

@kareem-wolfssl
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@kareem-wolfssl kareem-wolfssl removed their assignment Jan 8, 2026
@dgarske dgarske requested review from Copilot and dgarske and removed request for wolfSSL-Bot January 9, 2026 21:52
dgarske
dgarske previously approved these changes Jan 9, 2026
View reviewed changes
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a runtime option to enable or disable the secure renegotiation (SCR) check in wolfSSL. The feature allows clients to control whether to enforce RFC 9325 requirements that servers acknowledge the secure renegotiation extension. Additionally, it implements sending a no_renegotiation alert when rejecting renegotiation attempts on servers without secure renegotiation support.

Key changes:

  • Adds scr_check_enabled bit field to the WOLFSSL structure with getter/setter API functions
  • Implements logic to send no_renegotiation alert when server receives ClientHello after handshake completion without secure renegotiation support
  • Makes the existing SCR check in DoServerHello conditional on the new scr_check_enabled flag

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
wolfssl/ssl.h Adds API declarations for wolfSSL_get_scr_check_enabled and wolfSSL_set_scr_check_enabled
wolfssl/internal.h Adds scr_check_enabled bit field to WOLFSSL structure
src/ssl.c Implements getter/setter functions for the SCR check flag
src/internal.c Initializes scr_check_enabled to 1 (enabled by default); adds no_renegotiation alert logic; makes SCR check conditional on the flag
tests/api.c Adds comprehensive test for the SCR check enable/disable functionality
doc/dox_comments/header_files/ssl.h Adds documentation for the new API functions

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kareem-wolfssl kareem-wolfssl changed the title Add a runtime option to enable or disable the secure renegotation check. Add a runtime option to enable or disable the secure renegotiation check. Jan 22, 2026
@dgarske dgarske removed their assignment Jan 23, 2026
@dgarske dgarske requested a review from SparkiDev January 23, 2026 18:57
@kareem-wolfssl kareem-wolfssl assigned dgarske and SparkiDev and unassigned dgarske Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Assignees

@wolfSSL-Bot wolfSSL-Bot

@SparkiDev SparkiDev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kareem-wolfssl @dgarske @wolfSSL-Bot @SparkiDev