Disable client-initiated renegotiation for libtls servers.

ok beck@ reyk@
author: jsing <jsing@openbsd.org> 2017-01-31 15:57:43 +0000
committer: jsing <jsing@openbsd.org> 2017-01-31 15:57:43 +0000
commit: f61da50d755d5b3499975ff9a541e183d6f558f1 (patch)
tree: e3f4b3e4b8fb5bde5b891746d0b310206ae83461 /lib/libtls/tls_server.c
parent: Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows (diff)
download: wireguard-openbsd-f61da50d755d5b3499975ff9a541e183d6f558f1.tar.xz
wireguard-openbsd-f61da50d755d5b3499975ff9a541e183d6f558f1.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index 1a1a48a1699..51deff25105 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.34 2017/01/26 12:56:37 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.35 2017/01/31 15:57:43 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -237,6 +237,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
 		goto err;
 	}
 
+	SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+
 	if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
 	    tls_servername_cb) != 1) {
 		tls_set_error(ctx, "failed to set servername callback");
author	jsing <jsing@openbsd.org>	2017-01-31 15:57:43 +0000
committer	jsing <jsing@openbsd.org>	2017-01-31 15:57:43 +0000
commit	f61da50d755d5b3499975ff9a541e183d6f558f1 (patch)
tree	e3f4b3e4b8fb5bde5b891746d0b310206ae83461 /lib/libtls/tls_server.c
parent	Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows (diff)
download	wireguard-openbsd-f61da50d755d5b3499975ff9a541e183d6f558f1.tar.xz wireguard-openbsd-f61da50d755d5b3499975ff9a541e183d6f558f1.zip