diff options
author | Qu Chen <quchen@amazon.com> | 2022-04-21 16:54:16 -0700 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2022-07-24 23:23:43 -0700 |
commit | 6aa0d9b9a7040e51e556398803096576c21f5c9a (patch) | |
tree | 288960e8e581171d05bf5a9bcb08470b334503bd | |
parent | cd440062ae8955ac2634e61934368574690f8c6e (diff) | |
download | memcached-6aa0d9b9a7040e51e556398803096576c21f5c9a.tar.gz |
Disable TLS re-negotiation from SSL context
via SSL_OP_NO_RENEGOTIATION option
-rw-r--r-- | tls.c | 15 |
1 files changed, 11 insertions, 4 deletions
@@ -222,17 +222,23 @@ int ssl_init(void) { #endif } +#ifdef SSL_OP_NO_RENEGOTIATION + // Disable TLS re-negotiation if SSL_OP_NO_RENEGOTIATION is defined for + // openssl 1.1.0h or above + SSL_CTX_set_options(settings.ssl_ctx, SSL_OP_NO_RENEGOTIATION); +#endif + return 0; } /* * This method is registered with each SSL connection and abort the SSL session - * if a client initiates a renegotiation. - * TODO : Proper way to do this is to set SSL_OP_NO_RENEGOTIATION - * using the SSL_CTX_set_options but that option only available in - * openssl 1.1.0h or above. + * if a client initiates a renegotiation for openssl versions before 1.1.0h. + * For openssl 1.1.0h and above, TLS re-negotiation is disabled by setting the + * SSL_OP_NO_RENEGOTIATION option in SSL_CTX_set_options. */ void ssl_callback(const SSL *s, int where, int ret) { +#ifndef SSL_OP_NO_RENEGOTIATION SSL* ssl = (SSL*)s; if (SSL_in_before(ssl)) { fprintf(stderr, "%d: SSL renegotiation is not supported, " @@ -240,6 +246,7 @@ void ssl_callback(const SSL *s, int where, int ret) { SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); return; } +#endif } /* |