[PATCH ustream-ssl v2] ustream-openssl: Disable renegotiation in TLSv1.2 and earlier

Martin Schiller Wed, 07 Dec 2022 01:57:11 -0800

This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.


Signed-off-by: Martin Schiller <m...@dev.tdt.de>
---
v2:
 - also handle wolfssl implementation.

---
 ustream-openssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 6dae4ae..7a991e9 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -157,6 +157,12 @@ __ustream_ssl_context_new(bool server)
                SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
                                       SSL_OP_NO_TLSv1_1);
 #endif
+#if defined(HAVE_WOLFSSL)
+               SSL_CTX_set_options(c, SSL_AD_NO_RENEGOTIATION);
+#else
+               SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION);
+#endif
+
                SSL_CTX_set_cipher_list(c, server_cipher_list);
        } else {
                SSL_CTX_set_cipher_list(c, client_cipher_list);
-- 
2.20.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH ustream-ssl v2] ustream-openssl: Disable renegotiation in TLSv1.2 and earlier

Reply via email to