From 5dc75c022fd90332aaa1050db40f77ae54a9f43d Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 31 Jan 2017 15:57:43 +0000 Subject: Disable client-initiated renegotiation for libtls servers. ok beck@ reyk@ --- src/lib/libtls/tls_server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 1a1a48a169..51deff2510 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.34 2017/01/26 12:56:37 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.35 2017/01/31 15:57:43 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -237,6 +237,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, goto err; } + SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); + if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, tls_servername_cb) != 1) { tls_set_error(ctx, "failed to set servername callback"); -- cgit v1.2.3-55-g6feb