From patchwork Thu Nov 3 11:54:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Schiller X-Patchwork-Id: 1698839 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=T3S11P+v; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4N32Mb1MZyz1yqS for ; Thu, 3 Nov 2022 22:58:18 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=jetmJBB/0KaudObWrxUb2y+KalGmjmamZzI20Sh267M=; b=T3S11P+vOr9apK M4vDPfjw0KX5ApLqZnksg5SXrV2ZbUR/br9fV0RK5KYYq2B8Qc6RpsVHepy9W+TddMNunq5ozDVJk 3BrR0krjXy9xe+FuH7oX4v9CHbTJPNTbeytbX22Adyt2BSBDR55vGgfCkCvmgYqDnVaoGiNQhibDz R94iUJhgW9ZquxQU8+lxVnsTnrxQkSQhX/VG2X87sDLJjffKVsNTDczErtmyNd6UMmfTSxjOkv0YF qCW/lWXYrWok76hvkuq01pxYpdBJxdK6I80YGOrGT8CVtx0K6Wo0EBZWxpIYrxfjuFE9LnewKNefZ eutlZzG5NqrOn8KuOblw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oqYnv-00HFiz-Cx; Thu, 03 Nov 2022 11:54:39 +0000 Received: from mxout70.expurgate.net ([91.198.224.70]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oqYnq-00HFh3-PW for openwrt-devel@lists.openwrt.org; Thu, 03 Nov 2022 11:54:36 +0000 Received: from [127.0.0.1] (helo=localhost) by relay.expurgate.net with smtp (Exim 4.92) (envelope-from ) id 1oqYnk-000Q7x-MU; Thu, 03 Nov 2022 12:54:28 +0100 Received: from [195.243.126.94] (helo=securemail.tdt.de) by relay.expurgate.net with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oqYnj-000PTc-Ut; Thu, 03 Nov 2022 12:54:28 +0100 Received: from securemail.tdt.de (localhost [127.0.0.1]) by securemail.tdt.de (Postfix) with ESMTP id 80CAB24004B; Thu, 3 Nov 2022 12:54:27 +0100 (CET) Received: from mail.dev.tdt.de (unknown [10.2.4.42]) by securemail.tdt.de (Postfix) with ESMTP id 3C287240049; Thu, 3 Nov 2022 12:54:27 +0100 (CET) Received: from mschiller01.dev.tdt.de (unknown [10.2.3.20]) by mail.dev.tdt.de (Postfix) with ESMTPSA id E4F322AD21; Thu, 3 Nov 2022 12:54:26 +0100 (CET) From: Martin Schiller To: openwrt-devel@lists.openwrt.org Cc: ynezz@true.cz, Martin Schiller Subject: [PATCH ustream-ssl] ustream-openssl: Disable renegotiation in TLSv1.2 and earlier Date: Thu, 3 Nov 2022 12:54:23 +0100 Message-ID: <20221103115423.13082-1-ms@dev.tdt.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de X-purgate: clean X-purgate-type: clean X-purgate-ID: 151534::1667476468-1BBE3B4F-65E60F31/0/0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221103_045435_020546_A49DD30B X-CRM114-Status: UNSURE ( 8.74 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in TLSv1.2 and earlier for server context. Signed-off-by: Martin Schiller --- ustream-openssl.c | 2 ++ 1 file changed, 2 insertions(+) Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [91.198.224.70 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in TLSv1.2 and earlier for server context. Signed-off-by: Martin Schiller --- ustream-openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ustream-openssl.c b/ustream-openssl.c index 6dae4ae..9d8d1bc 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -157,6 +157,8 @@ __ustream_ssl_context_new(bool server) SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); #endif + SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION); + SSL_CTX_set_cipher_list(c, server_cipher_list); } else { SSL_CTX_set_cipher_list(c, client_cipher_list);