From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 17 Apr 2019 09:13:49 +0000 (+0200)
Subject: dnsdist: Disable unsafe TLS mechanisms by default for DoH
X-Git-Tag: dnsdist-1.4.0-alpha2~6^2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=472ba430cbb008e8cca4f5be2ce592bf3d1ad37c;p=thirdparty%2Fpdns.git

dnsdist: Disable unsafe TLS mechanisms by default for DoH
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index d149dffde5..efbbdd5a2b 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -576,7 +576,15 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vect
 {
   auto ctx = std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(SSL_CTX_new(SSLv23_server_method()), SSL_CTX_free);
 
-  SSL_CTX_set_options(ctx.get(), SSL_OP_NO_SSLv2);
+  int sslOptions =
+    SSL_OP_NO_SSLv2 |
+    SSL_OP_NO_SSLv3 |
+    SSL_OP_NO_COMPRESSION |
+    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+    SSL_OP_SINGLE_DH_USE |
+    SSL_OP_SINGLE_ECDH_USE;
+
+  SSL_CTX_set_options(ctx.get(), sslOptions);
 
 #ifdef SSL_CTX_set_ecdh_auto
   SSL_CTX_set_ecdh_auto(ctx.get(), 1);