projects / project / ustream-ssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2ce1d48)
ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
authorMartin Schiller <ms@dev.tdt.de>
Wed, 7 Dec 2022 09:45:04 +0000 (10:45 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Wed, 7 Dec 2022 23:45:19 +0000 (00:45 +0100)
This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
ustream-openssl.c patch | blob | history

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 6dae4aedb752894684c719954e74c13f628c3027..7a991e9d54d1d6e3c572dd9e5b54f4b00442d302 100644 (file)
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -157,6 +157,12 @@ __ustream_ssl_context_new(bool server)
                SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
                                       SSL_OP_NO_TLSv1_1);
 #endif
+#if defined(HAVE_WOLFSSL)
+               SSL_CTX_set_options(c, SSL_AD_NO_RENEGOTIATION);
+#else
+               SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION);
+#endif
+
                SSL_CTX_set_cipher_list(c, server_cipher_list);
        } else {
                SSL_CTX_set_cipher_list(c, client_cipher_list);
ustream SSL wrapper