From a341ab099e5aa53e5f69258e0c80326e01c880e8 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Thu, 10 Aug 2023 12:49:47 +0200
Subject: Disable TLS renegotiation

---
 qmail-remote.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'qmail-remote.c')

diff --git a/qmail-remote.c b/qmail-remote.c
index b5fd940..d0f2fc3 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -468,6 +468,8 @@ static int tls_init(struct ip_mx *current_mx)
     tls_quit_error("ZTLS error initializing ctx");
   }
   SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+  /* TLS renegotiation is possible cpu resource attack */
+  SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
 
   /* we verify ourself below. see SSL_get_verify_result */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
-- 
cgit v1.2.3