d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable TLS renegotiation.

Browse Source 
Client initiated renegotiation is considered to be a potential attack
vector against servers.

Closes #1257. Thanks to Daniele Sluijters.
This commit is contained in:
Roger A. Light 2019-05-29 11:47:18 +01:00
parent 44d170053d
commit b42bb99ba6
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog.txt
View File

@ -20,6 +20,8 @@ Broker:
writing. Closes #1290. writing. Closes #1290.
- Fix persistent Websockets clients not receiving messages after they - Fix persistent Websockets clients not receiving messages after they
reconnect, having sent DISCONNECT on a previous session. Closes #1227. reconnect, having sent DISCONNECT on a previous session. Closes #1227.
- Disable TLS renegotiation. Client initiated renegotiation is considered to
be a potential attack vector against servers. Closes #1257.
Client library: Client library:
- Fix typo causing build error on Windows when building without TLS support. - Fix typo causing build error on Windows when building without TLS support.

4
src/net.c
View File

@ -368,6 +368,10 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
#endif #endif
#endif #endif
#ifdef SSL_OP_NO_RENEGOTIATION
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_RENEGOTIATION);
#endif
snprintf(buf, 256, "mosquitto-%d", listener->port); snprintf(buf, 256, "mosquitto-%d", listener->port);
SSL_CTX_set_session_id_context(listener->ssl_ctx, (unsigned char *)buf, strlen(buf)); SSL_CTX_set_session_id_context(listener->ssl_ctx, (unsigned char *)buf, strlen(buf));