| Message ID | 20221103115423.13082-1-ms@dev.tdt.de |
|---|---|
| State | Superseded |
| Delegated to: | Hauke Mehrtens |
| Headers | show
Return-Path:
<openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
(client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
dkim=pass (2048-bit key;
secure) header.d=lists.infradead.org header.i=@lists.infradead.org
header.a=rsa-sha256 header.s=bombadil.20210309 header.b=T3S11P+v;
dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
[IPv6:2607:7c80:54:3::133])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by legolas.ozlabs.org (Postfix) with ESMTPS id 4N32Mb1MZyz1yqS
for <incoming@patchwork.ozlabs.org>; Thu, 3 Nov 2022 22:58:18 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.infradead.org; s=bombadil.20210309; h=Sender:
Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc
:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
List-Owner; bh=jetmJBB/0KaudObWrxUb2y+KalGmjmamZzI20Sh267M=; b=T3S11P+vOr9apK
M4vDPfjw0KX5ApLqZnksg5SXrV2ZbUR/br9fV0RK5KYYq2B8Qc6RpsVHepy9W+TddMNunq5ozDVJk
3BrR0krjXy9xe+FuH7oX4v9CHbTJPNTbeytbX22Adyt2BSBDR55vGgfCkCvmgYqDnVaoGiNQhibDz
R94iUJhgW9ZquxQU8+lxVnsTnrxQkSQhX/VG2X87sDLJjffKVsNTDczErtmyNd6UMmfTSxjOkv0YF
qCW/lWXYrWok76hvkuq01pxYpdBJxdK6I80YGOrGT8CVtx0K6Wo0EBZWxpIYrxfjuFE9LnewKNefZ
eutlZzG5NqrOn8KuOblw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
id 1oqYnv-00HFiz-Cx; Thu, 03 Nov 2022 11:54:39 +0000
Received: from mxout70.expurgate.net ([91.198.224.70])
by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
id 1oqYnq-00HFh3-PW
for openwrt-devel@lists.openwrt.org; Thu, 03 Nov 2022 11:54:36 +0000
Received: from [127.0.0.1] (helo=localhost)
by relay.expurgate.net with smtp (Exim 4.92)
(envelope-from <prvs=532041c7a4=ms@dev.tdt.de>)
id 1oqYnk-000Q7x-MU; Thu, 03 Nov 2022 12:54:28 +0100
Received: from [195.243.126.94] (helo=securemail.tdt.de)
by relay.expurgate.net with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from <ms@dev.tdt.de>)
id 1oqYnj-000PTc-Ut; Thu, 03 Nov 2022 12:54:28 +0100
Received: from securemail.tdt.de (localhost [127.0.0.1])
by securemail.tdt.de (Postfix) with ESMTP id 80CAB24004B;
Thu, 3 Nov 2022 12:54:27 +0100 (CET)
Received: from mail.dev.tdt.de (unknown [10.2.4.42])
by securemail.tdt.de (Postfix) with ESMTP id 3C287240049;
Thu, 3 Nov 2022 12:54:27 +0100 (CET)
Received: from mschiller01.dev.tdt.de (unknown [10.2.3.20])
by mail.dev.tdt.de (Postfix) with ESMTPSA id E4F322AD21;
Thu, 3 Nov 2022 12:54:26 +0100 (CET)
From: Martin Schiller <ms@dev.tdt.de>
To: openwrt-devel@lists.openwrt.org
Cc: ynezz@true.cz,
Martin Schiller <ms@dev.tdt.de>
Subject: [PATCH ustream-ssl] ustream-openssl: Disable renegotiation in TLSv1.2
and earlier
Date: Thu, 3 Nov 2022 12:54:23 +0100
Message-ID: <20221103115423.13082-1-ms@dev.tdt.de>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED
autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de
X-purgate: clean
X-purgate-type: clean
X-purgate-ID: 151534::1667476468-1BBE3B4F-65E60F31/0/0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
X-CRM114-CacheID: sfid-20221103_045435_020546_A49DD30B
X-CRM114-Status: UNSURE ( 8.74 )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.7 (/)
X-Spam-Report: Spam detection software,
running on the system "bombadil.infradead.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: This fixes CVE-2011-1473 and CVE-2011-5094 by disabling
renegotiation
in TLSv1.2 and earlier for server context. Signed-off-by: Martin Schiller
<ms@dev.tdt.de> --- ustream-openssl.c | 2 ++ 1 file changed,
2 insertions(+)
Content analysis details: (-0.7 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low trust
[91.198.224.70 listed in list.dnswl.org]
0.0 SPF_NONE SPF: sender does not publish an SPF Record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To:
openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org
|
| Series |
[ustream-ssl] ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
|
expand
|
diff --git a/ustream-openssl.c b/ustream-openssl.c index 6dae4ae..9d8d1bc 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -157,6 +157,8 @@ __ustream_ssl_context_new(bool server) SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); #endif + SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION); + SSL_CTX_set_cipher_list(c, server_cipher_list); } else { SSL_CTX_set_cipher_list(c, client_cipher_list);
This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in TLSv1.2 and earlier for server context. Signed-off-by: Martin Schiller <ms@dev.tdt.de> --- ustream-openssl.c | 2 ++ 1 file changed, 2 insertions(+)