upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-21 07:10:43 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #49: Set no renegotiation on the SSL context to stop client

Browse source 
session renegotiation.
This commit is contained in:
W.C.A. Wijngaards 2019-07-19 08:18:06 +02:00
parent 368386c011
commit c94e13220b
3 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
19 July 2019: Wouter
- Fix #49: Set no renegotiation on the SSL context to stop client
session renegotiation.
12 July 2019: Wouter 12 July 2019: Wouter
- Fix #48: Unbound returns additional records on NODATA response, - Fix #48: Unbound returns additional records on NODATA response,
if minimal-responses is enabled, also the additional for negative if minimal-responses is enabled, also the additional for negative

8
smallapp/unbound-control.c
View file

@ -498,7 +498,13 @@ setup_ctx(struct config_file* cfg)
ssl_err("could not set SSL_OP_NO_SSLv2"); ssl_err("could not set SSL_OP_NO_SSLv2");
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3"); ssl_err("could not set SSL_O P_NO_SSLv3");
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
#endif
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert)) if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert); ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)) if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))

16
util/net_help.c
View file

@ -744,6 +744,14 @@ listen_sslctx_setup(void* ctxt)
return 0; return 0;
} }
#endif #endif
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
return 0;
}
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */ /* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
@ -962,6 +970,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return NULL; return NULL;
} }
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
return 0;
}
#endif
if(key && key[0]) { if(key && key[0]) {
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
log_err("error in client certificate %s", pem); log_err("error in client certificate %s", pem);