diff options
author | Martin Schiller <ms@dev.tdt.de> | 2022-12-07 10:45:04 +0100 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2022-12-08 00:45:19 +0100 |
commit | 9217ab46536353c7c792951b57163063f5ec7a3b (patch) | |
tree | 3ad7e7bd5a60eb5e06cad0bcfdb71010eaee0a03 | |
parent | 2ce1d482e9445a97e44a42ddf393597d23dab97c (diff) | |
download | ustream-ssl-9217ab46536353c7c792951b57163063f5ec7a3b.tar.gz |
ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
-rw-r--r-- | ustream-openssl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ustream-openssl.c b/ustream-openssl.c index 6dae4ae..7a991e9 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -157,6 +157,12 @@ __ustream_ssl_context_new(bool server) SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); #endif +#if defined(HAVE_WOLFSSL) + SSL_CTX_set_options(c, SSL_AD_NO_RENEGOTIATION); +#else + SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION); +#endif + SSL_CTX_set_cipher_list(c, server_cipher_list); } else { SSL_CTX_set_cipher_list(c, client_cipher_list); |