From 7ce9457a4a4382f62a2a6315a38ad553bae6a2e8 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Mon, 6 Nov 2023 18:46:37 +0100 Subject: [PATCH] Disable TLS renegotiation The API doesn't need it and a customer's security scanner is afraid of a potential DoS attack vector. --- lib/base/tlsutility.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index dc2e7ba73fa..7437afe1b2e 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -11,6 +11,8 @@ #include #include #include +#include +#include #include namespace icinga @@ -91,6 +93,16 @@ static void InitSslContext(const Shared::Ptr& context flags |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) { + if (where & SSL_CB_HANDSHAKE_DONE) { + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } + }); +#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + flags |= SSL_OP_NO_RENEGOTIATION; +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + SSL_CTX_set_options(sslContext, flags); SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);