With OpenSSL 1.0.2 and earlier: disable client-side renegotiation.

Fixed issue #49 Fixes BZ#1904459 Signed-off-by: Julien Ropé <jrope@redhat.com> Reported-by: BlackKD Acked-by: Frediano Ziglio <fziglio@redhat.com>
2025-12-26 14:41:25 +00:00 · 2020-12-03 09:33:48 +01:00 · 2020-12-03 09:33:48 +01:00 · 95a0cfac8a
commit 95a0cfac8a
parent ca5bbc5692
1 changed files with 5 additions and 0 deletions
--- a/server/red-stream.cpp
+++ b/server/red-stream.cpp
@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
        return RED_STREAM_SSL_STATUS_OK;
    }

+#ifndef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
+    stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+#endif
+
    ssl_error = SSL_get_error(stream->priv->ssl, return_code);
    if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
                              ssl_error == SSL_ERROR_WANT_WRITE)) {