Skip to content

Commit

Permalink
Disable TLS renegotiation
Browse files Browse the repository at this point in the history
The API doesn't need it and a customer's security scanner
is afraid of a potential DoS attack vector.
  • Loading branch information
Al2Klimov committed Oct 26, 2023
1 parent 76b460c commit bd7d407
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions lib/base/tlsutility.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
#include <boost/asio/ssl/context.hpp>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
#include <fstream>

namespace icinga
Expand Down Expand Up @@ -91,6 +93,16 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context

flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;

#if OPENSSL_VERSION_NUMBER < 0x10101000L
SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) {
if (where & SSL_CB_HANDSHAKE_DONE) {
ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
});
#else /* OPENSSL_VERSION_NUMBER < 0x10101000L */
flags |= SSL_OP_NO_RENEGOTIATION;
#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */

SSL_CTX_set_options(sslContext, flags);

SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
Expand Down

0 comments on commit bd7d407

Please sign in to comment.