diff options
| author | manuel <manuel@mausz.at> | 2023-08-10 12:49:47 +0200 |
|---|---|---|
| committer | manuel <manuel@mausz.at> | 2023-08-10 12:49:47 +0200 |
| commit | a341ab099e5aa53e5f69258e0c80326e01c880e8 (patch) | |
| tree | 1694f9e39d4760b2ac6ad039bf700dc16e893068 | |
| parent | a292e44f38ce771dd34e56dec2886318bdaacfe8 (diff) | |
| download | qmail-a341ab099e5aa53e5f69258e0c80326e01c880e8.tar.gz qmail-a341ab099e5aa53e5f69258e0c80326e01c880e8.tar.bz2 qmail-a341ab099e5aa53e5f69258e0c80326e01c880e8.zip | |
Disable TLS renegotiation
| -rw-r--r-- | qmail-remote.c | 2 | ||||
| -rw-r--r-- | qmail-smtpd.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/qmail-remote.c b/qmail-remote.c index b5fd940..d0f2fc3 100644 --- a/qmail-remote.c +++ b/qmail-remote.c | |||
| @@ -468,6 +468,8 @@ static int tls_init(struct ip_mx *current_mx) | |||
| 468 | tls_quit_error("ZTLS error initializing ctx"); | 468 | tls_quit_error("ZTLS error initializing ctx"); |
| 469 | } | 469 | } |
| 470 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); | 470 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| 471 | /* TLS renegotiation is possible cpu resource attack */ | ||
| 472 | SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); | ||
| 471 | 473 | ||
| 472 | /* we verify ourself below. see SSL_get_verify_result */ | 474 | /* we verify ourself below. see SSL_get_verify_result */ |
| 473 | SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); | 475 | SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); |
diff --git a/qmail-smtpd.c b/qmail-smtpd.c index c4b498e..d97dfc5 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c | |||
| @@ -1334,6 +1334,8 @@ void tls_init() | |||
| 1334 | SSL_CTX_set_min_proto_version(ctx, min_ssl_version); | 1334 | SSL_CTX_set_min_proto_version(ctx, min_ssl_version); |
| 1335 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | | 1335 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | |
| 1336 | SSL_OP_PRIORITIZE_CHACHA); | 1336 | SSL_OP_PRIORITIZE_CHACHA); |
| 1337 | /* TLS renegotiation is possible cpu resource attack */ | ||
| 1338 | SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); | ||
| 1337 | 1339 | ||
| 1338 | /* set the callback here; SSL_set_verify didn't work before 0.9.6c */ | 1340 | /* set the callback here; SSL_set_verify didn't work before 0.9.6c */ |
| 1339 | SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb); | 1341 | SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb); |