dnsdist: Disable unsafe TLS mechanisms by default for DoH

author Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 17 Apr 2019 09:13:49 +0000 (11:13 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 17 Apr 2019 09:15:42 +0000 (11:15 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 17 Apr 2019 09:13:49 +0000 (11:13 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 17 Apr 2019 09:15:42 +0000 (11:15 +0200)
diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc

index d149dffde571ad4a8409d148829bedb00fdad2a4..efbbdd5a2bf566f34e7bac183b067c4a6ef565ab 100644 (file)
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -576,7 +576,15 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vect
  {
    auto ctx = std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(SSL_CTX_new(SSLv23_server_method()), SSL_CTX_free);
  
-  SSL_CTX_set_options(ctx.get(), SSL_OP_NO_SSLv2);
+  int sslOptions =
+    SSL_OP_NO_SSLv2 |
+    SSL_OP_NO_SSLv3 |
+    SSL_OP_NO_COMPRESSION |
+    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+    SSL_OP_SINGLE_DH_USE |
+    SSL_OP_SINGLE_ECDH_USE;
+
+  SSL_CTX_set_options(ctx.get(), sslOptions);
  
  #ifdef SSL_CTX_set_ecdh_auto
    SSL_CTX_set_ecdh_auto(ctx.get(), 1);
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 17 Apr 2019 09:13:49 +0000 (11:13 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 17 Apr 2019 09:15:42 +0000 (11:15 +0200)