From: Martin Schiller <ms@dev.tdt.de>
Date: Wed, 7 Dec 2022 09:45:04 +0000 (+0100)
Subject: ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=9217ab46536353c7c792951b57163063f5ec7a3b;p=project%2Fustream-ssl.git

ustream-openssl: Disable renegotiation in TLSv1.2 and earlier

This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in
TLSv1.2 and earlier for server context.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
---

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 6dae4ae..7a991e9 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -157,6 +157,12 @@ __ustream_ssl_context_new(bool server)
 		SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
 				       SSL_OP_NO_TLSv1_1);
 #endif
+#if defined(HAVE_WOLFSSL)
+		SSL_CTX_set_options(c, SSL_AD_NO_RENEGOTIATION);
+#else
+		SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION);
+#endif
+
 		SSL_CTX_set_cipher_list(c, server_cipher_list);
 	} else {
 		SSL_CTX_set_cipher_list(c, client_cipher_list);