[PATCH ustream-ssl] ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
Martin Schiller
ms at dev.tdt.de
Thu Nov 3 04:54:23 PDT 2022
This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.
Signed-off-by: Martin Schiller <ms at dev.tdt.de>
---
ustream-openssl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 6dae4ae..9d8d1bc 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -157,6 +157,8 @@ __ustream_ssl_context_new(bool server)
SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1);
#endif
+ SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION);
+
SSL_CTX_set_cipher_list(c, server_cipher_list);
} else {
SSL_CTX_set_cipher_list(c, client_cipher_list);
--
2.20.1
More information about the openwrt-devel
mailing list