Hardening against CVE-2009-3555

Disable client-initiated renegotiation, mitigating a DoS attack which
might be possible with some builds of the OpenSSL library.

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index c8a161bb207b195e148d263282e77af927b75cdf..f8dcfbac681aa95bf89a82ab2a7e5fb98d3afdb0 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -823,12 +823,28 @@ Ssl::readDHParams(const char *dhfile)
     return dh;
 }
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+static void
+ssl_info_cb(const SSL *ssl, int where, int ret)
+{
+    (void)ret;
+    if ((where & SSL_CB_HANDSHAKE_DONE) != 0) {
+        // disable renegotiation (CVE-2009-3555)
+        ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+    }
+}
+#endif
+
 static bool
 configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port)
 {
     int ssl_error;
     SSL_CTX_set_options(sslContext, port.sslOptions);
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (port.sslContextSessionId)
         SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId));
 
@@ -1045,6 +1061,10 @@ sslCreateClientContext(const char *certfile, const char *keyfile, const char *ci
 
     SSL_CTX_set_options(sslContext, Ssl::parse_options(options));
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (*cipher) {
         debugs(83, 5, "Using chiper suite " << cipher << ".");