ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
authorMartin Schiller <ms@dev.tdt.de>
Wed, 7 Dec 2022 09:45:04 +0000 (10:45 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Wed, 7 Dec 2022 23:45:19 +0000 (00:45 +0100)
This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
ustream-openssl.c

index 6dae4aedb752894684c719954e74c13f628c3027..7a991e9d54d1d6e3c572dd9e5b54f4b00442d302 100644 (file)
@@ -157,6 +157,12 @@ __ustream_ssl_context_new(bool server)
                SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
                                       SSL_OP_NO_TLSv1_1);
 #endif
+#if defined(HAVE_WOLFSSL)
+               SSL_CTX_set_options(c, SSL_AD_NO_RENEGOTIATION);
+#else
+               SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION);
+#endif
+
                SSL_CTX_set_cipher_list(c, server_cipher_list);
        } else {
                SSL_CTX_set_cipher_list(c, client_cipher_list);