- Fix #49: Set no renegotiation on the SSL context to stop client

  session renegotiation.

diff --git a/doc/Changelog b/doc/Changelog
index 3b9618cac9e541c5e1b57e9377bdad7ad9eac7a1..75d1a900ac92566d712032b17e873df094e65268 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+19 July 2019: Wouter
+       - Fix #49: Set no renegotiation on the SSL context to stop client
+         session renegotiation.
+
 12 July 2019: Wouter
        - Fix #48: Unbound returns additional records on NODATA response,
          if minimal-responses is enabled, also the additional for negative

diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 3ea6aa033c08416705c6ea4fef07e715224e9ee7..eba7f581440cb1d76dc69e01a4fb24f729aea915 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -498,7 +498,13 @@ setup_ctx(struct config_file* cfg)
                ssl_err("could not set SSL_OP_NO_SSLv2");
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3)
-               ssl_err("could not set SSL_OP_NO_SSLv3");
+               ssl_err("could not set SSL_O P_NO_SSLv3");
+#if defined(SSL_OP_NO_RENEGOTIATION)
+       /* disable client renegotiation */
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
+               ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+#endif
        if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
                ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
        if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))

diff --git a/util/net_help.c b/util/net_help.c
index 13bcdf8085bff3546bd3b055ce3d57c7d9370359..88bfc225a8e44d08f0256fe7f07450f986377f81 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -744,6 +744,14 @@ listen_sslctx_setup(void* ctxt)
                return 0;
        }
 #endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+       /* disable client renegotiation */
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+               return 0;
+       }
+#endif
 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
        /* if we have sha256, set the cipher list to have no known vulns */
        if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
@@ -962,6 +970,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
                SSL_CTX_free(ctx);
                return NULL;
        }
+#if defined(SSL_OP_NO_RENEGOTIATION)
+       /* disable client renegotiation */
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+               return 0;
+       }
+#endif
        if(key && key[0]) {
                if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
                        log_err("error in client certificate %s", pem);