Disable TLS renegotiation if supported

The API doesn't need it and a customer's security scanner is afraid of a potential DoS attack vector.
Icinga · Oct 24, 2023 · 40278e9 · 40278e9
1 parent 76b460c
commit 40278e9
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
@@ -91,6 +91,10 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
 
 	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	flags |= SSL_OP_NO_RENEGOTIATION;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */
+
 	SSL_CTX_set_options(sslContext, flags);
 
 	SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);