85cb4d
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
85cb4d
index b286053..8b6c34f 100644
85cb4d
--- a/modules/ssl/ssl_engine_init.c
85cb4d
+++ b/modules/ssl/ssl_engine_init.c
85cb4d
@@ -824,6 +824,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
85cb4d
         SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
85cb4d
     }
85cb4d
 #endif
85cb4d
+
85cb4d
+#ifdef SSL_OP_NO_RENEGOTIATION
85cb4d
+    /* For server-side SSL_CTX, disable renegotiation by default.. */
85cb4d
+    if (!mctx->pkp) {
85cb4d
+        SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
85cb4d
+    }
85cb4d
+#endif
85cb4d
     
85cb4d
     return APR_SUCCESS;
85cb4d
 }
85cb4d
@@ -845,6 +852,14 @@ static void ssl_init_ctx_session_cache(server_rec *s,
85cb4d
     }
85cb4d
 }
85cb4d
 
85cb4d
+#ifdef SSL_OP_NO_RENEGOTIATION
85cb4d
+/* OpenSSL-level renegotiation protection. */
85cb4d
+#define MODSSL_BLOCKS_RENEG (0)
85cb4d
+#else
85cb4d
+/* mod_ssl-level renegotiation protection. */
85cb4d
+#define MODSSL_BLOCKS_RENEG (1)
85cb4d
+#endif
85cb4d
+
85cb4d
 static void ssl_init_ctx_callbacks(server_rec *s,
85cb4d
                                    apr_pool_t *p,
85cb4d
                                    apr_pool_t *ptemp,
85cb4d
@@ -854,7 +869,13 @@ static void ssl_init_ctx_callbacks(server_rec *s,
85cb4d
 
85cb4d
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
85cb4d
 
85cb4d
-    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
85cb4d
+    /* The info callback is used for debug-level tracing.  For OpenSSL
85cb4d
+     * versions where SSL_OP_NO_RENEGOTIATION is not available, the
85cb4d
+     * callback is also used to prevent use of client-initiated
85cb4d
+     * renegotiation.  Enable it in either case. */
85cb4d
+    if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) {
85cb4d
+        SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
85cb4d
+    }
85cb4d
 
85cb4d
 #ifdef HAVE_TLS_ALPN
85cb4d
     SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
85cb4d
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
85cb4d
index 836bfdb..0958135 100644
85cb4d
--- a/modules/ssl/ssl_engine_io.c
85cb4d
+++ b/modules/ssl/ssl_engine_io.c
85cb4d
@@ -200,11 +200,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
85cb4d
     apr_bucket *e;
85cb4d
     int need_flush;
85cb4d
 
85cb4d
+#ifndef SSL_OP_NO_RENEGOTIATION
85cb4d
     /* Abort early if the client has initiated a renegotiation. */
85cb4d
     if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
85cb4d
         outctx->rc = APR_ECONNABORTED;
85cb4d
         return -1;
85cb4d
     }
85cb4d
+#endif
85cb4d
 
85cb4d
     /* when handshaking we'll have a small number of bytes.
85cb4d
      * max size SSL will pass us here is about 16k.
85cb4d
@@ -458,11 +460,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
85cb4d
     if (!in)
85cb4d
         return 0;
85cb4d
 
85cb4d
+#ifndef SSL_OP_NO_RENEGOTIATION
85cb4d
     /* Abort early if the client has initiated a renegotiation. */
85cb4d
     if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
85cb4d
         inctx->rc = APR_ECONNABORTED;
85cb4d
         return -1;
85cb4d
     }
85cb4d
+#endif
85cb4d
 
85cb4d
     BIO_clear_retry_flags(bio);
85cb4d
 
85cb4d
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
85cb4d
index e217b9d..21f701f 100644
85cb4d
--- a/modules/ssl/ssl_engine_kernel.c
85cb4d
+++ b/modules/ssl/ssl_engine_kernel.c
85cb4d
@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
85cb4d
 
85cb4d
             /* Toggle the renegotiation state to allow the new
85cb4d
              * handshake to proceed. */
85cb4d
-            sslconn->reneg_state = RENEG_ALLOW;
85cb4d
+            modssl_set_reneg_state(sslconn, RENEG_ALLOW);
85cb4d
 
85cb4d
             SSL_renegotiate(ssl);
85cb4d
             SSL_do_handshake(ssl);
85cb4d
@@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
85cb4d
              */
85cb4d
             SSL_peek(ssl, peekbuf, 0);
85cb4d
 
85cb4d
-            sslconn->reneg_state = RENEG_REJECT;
85cb4d
+            modssl_set_reneg_state(sslconn, RENEG_REJECT);
85cb4d
 
85cb4d
             if (!SSL_is_init_finished(ssl)) {
85cb4d
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
85cb4d
@@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
85cb4d
         (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
85cb4d
         int vmode_inplace, vmode_needed;
85cb4d
         int change_vmode = FALSE;
85cb4d
-        int old_state, n, rc;
85cb4d
+        int n, rc;
85cb4d
 
85cb4d
         vmode_inplace = SSL_get_verify_mode(ssl);
85cb4d
         vmode_needed = SSL_VERIFY_NONE;
85cb4d
@@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
85cb4d
                 return HTTP_FORBIDDEN;
85cb4d
             }
85cb4d
             
85cb4d
-            old_state = sslconn->reneg_state;
85cb4d
-            sslconn->reneg_state = RENEG_ALLOW;
85cb4d
             modssl_set_app_data2(ssl, r);
85cb4d
 
85cb4d
             SSL_do_handshake(ssl);
85cb4d
@@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
85cb4d
              */
85cb4d
             SSL_peek(ssl, peekbuf, 0);
85cb4d
 
85cb4d
-            sslconn->reneg_state = old_state;
85cb4d
             modssl_set_app_data2(ssl, NULL);
85cb4d
 
85cb4d
             /*
85cb4d
@@ -2271,8 +2268,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c,
85cb4d
 /*
85cb4d
  * This callback function is executed while OpenSSL processes the SSL
85cb4d
  * handshake and does SSL record layer stuff.  It's used to trap
85cb4d
- * client-initiated renegotiations, and for dumping everything to the
85cb4d
- * log.
85cb4d
+ * client-initiated renegotiations (where SSL_OP_NO_RENEGOTIATION is
85cb4d
+ * not available), and for dumping everything to the log.
85cb4d
  */
85cb4d
 void ssl_callback_Info(const SSL *ssl, int where, int rc)
85cb4d
 {
85cb4d
@@ -2284,14 +2281,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
85cb4d
         return;
85cb4d
     }
85cb4d
 
85cb4d
-    /* With TLS 1.3 this callback may be called multiple times on the first
85cb4d
-     * negotiation, so the below logic to detect renegotiations can't work.
85cb4d
-     * Fortunately renegotiations are forbidden starting with TLS 1.3, and
85cb4d
-     * this is enforced by OpenSSL so there's nothing to be done here.
85cb4d
-     */
85cb4d
-#if SSL_HAVE_PROTOCOL_TLSV1_3
85cb4d
-    if (SSL_version(ssl) < TLS1_3_VERSION)
85cb4d
-#endif
85cb4d
+#ifndef SSL_OP_NO_RENEGOTIATION
85cb4d
+    /* With OpenSSL < 1.1.1 (implying TLS v1.2 or earlier), this
85cb4d
+     * callback is used to block client-initiated renegotiation.  With
85cb4d
+     * TLSv1.3 it is unnecessary since renegotiation is forbidden at
85cb4d
+     * protocol level.  Otherwise (TLSv1.2 with OpenSSL >=1.1.1),
85cb4d
+     * SSL_OP_NO_RENEGOTIATION is used to block renegotiation. */
85cb4d
     {
85cb4d
         SSLConnRec *sslconn;
85cb4d
 
85cb4d
@@ -2316,6 +2311,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
85cb4d
             sslconn->reneg_state = RENEG_REJECT;
85cb4d
         }
85cb4d
     }
85cb4d
+#endif
85cb4d
 
85cb4d
     s = mySrvFromConn(c);
85cb4d
     if (s && APLOGdebug(s)) {
85cb4d
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
85cb4d
index 2514407..f4e5ac9 100644
85cb4d
--- a/modules/ssl/ssl_private.h
85cb4d
+++ b/modules/ssl/ssl_private.h
85cb4d
@@ -508,6 +508,16 @@ typedef struct {
85cb4d
     apr_time_t     source_mtime;
85cb4d
 } ssl_asn1_t;
85cb4d
 
85cb4d
+typedef enum {
85cb4d
+    RENEG_INIT = 0, /* Before initial handshake */
85cb4d
+    RENEG_REJECT,   /* After initial handshake; any client-initiated
85cb4d
+                     * renegotiation should be rejected */
85cb4d
+    RENEG_ALLOW,    /* A server-initiated renegotiation is taking
85cb4d
+                     * place (as dictated by configuration) */
85cb4d
+    RENEG_ABORT     /* Renegotiation initiated by client, abort the
85cb4d
+                     * connection */
85cb4d
+} modssl_reneg_state;
85cb4d
+
85cb4d
 /**
85cb4d
  * Define the mod_ssl per-module configuration structure
85cb4d
  * (i.e. the global configuration for each httpd process)
85cb4d
@@ -540,18 +550,13 @@ typedef struct {
85cb4d
         NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
85cb4d
     } non_ssl_request;
85cb4d
 
85cb4d
-    /* Track the handshake/renegotiation state for the connection so
85cb4d
-     * that all client-initiated renegotiations can be rejected, as a
85cb4d
-     * partial fix for CVE-2009-3555. */
85cb4d
-    enum {
85cb4d
-        RENEG_INIT = 0, /* Before initial handshake */
85cb4d
-        RENEG_REJECT,   /* After initial handshake; any client-initiated
85cb4d
-                         * renegotiation should be rejected */
85cb4d
-        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
85cb4d
-                         * place (as dictated by configuration) */
85cb4d
-        RENEG_ABORT     /* Renegotiation initiated by client, abort the
85cb4d
-                         * connection */
85cb4d
-    } reneg_state;
85cb4d
+#ifndef SSL_OP_NO_RENEGOTIATION
85cb4d
+    /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
85cb4d
+     * for the connection to block client-initiated renegotiations.
85cb4d
+     * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
85cb4d
+     * the SSL * options state with equivalent effect. */
85cb4d
+    modssl_reneg_state reneg_state;
85cb4d
+#endif
85cb4d
 
85cb4d
     server_rec *server;
85cb4d
     SSLDirConfigRec *dc;
85cb4d
@@ -1130,6 +1135,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
85cb4d
  * the configured ENGINE. */
85cb4d
 int modssl_is_engine_id(const char *name);
85cb4d
 
85cb4d
+/* Set the renegotation state for connection. */
85cb4d
+void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
85cb4d
+
85cb4d
 #endif /* SSL_PRIVATE_H */
85cb4d
 /** @} */
85cb4d
 
85cb4d
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
85cb4d
index 4fa089b..3413d83 100644
85cb4d
--- a/modules/ssl/ssl_util_ssl.c
85cb4d
+++ b/modules/ssl/ssl_util_ssl.c
85cb4d
@@ -504,3 +504,19 @@ char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
85cb4d
 
85cb4d
     return str;
85cb4d
 }
85cb4d
+
85cb4d
+void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
85cb4d
+{
85cb4d
+#ifdef SSL_OP_NO_RENEGOTIATION
85cb4d
+    switch (state) {
85cb4d
+    case RENEG_ALLOW:
85cb4d
+        SSL_clear_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
85cb4d
+        break;
85cb4d
+    default:
85cb4d
+        SSL_set_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
85cb4d
+        break;
85cb4d
+    }
85cb4d
+#else
85cb4d
+    sslconn->reneg_state = state;
85cb4d
+#endif
85cb4d
+}