Disable TLS renegotiation.

Client initiated renegotiation is considered to be a potential attack vector against servers. Closes #1257. Thanks to Daniele Sluijters.
6 years ago · e87ac5a79c
parent ee26690a09
commit e87ac5a79c
2 changed files with 6 additions and 0 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -20,6 +20,8 @@ Broker:
  writing. Closes #1290.
 - Fix persistent Websockets clients not receiving messages after they
  reconnect, having sent DISCONNECT on a previous session. Closes #1227.
+- Disable TLS renegotiation. Client initiated renegotiation is considered to
+  be a potential attack vector against servers. Closes #1257.

 Client library:
 - Fix typo causing build error on Windows when building without TLS support.
--- a/src/net.c
+++ b/src/net.c
@ -368,6 +368,10 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 #endif

+#ifdef SSL_OP_NO_RENEGOTIATION
+	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_RENEGOTIATION);
+#endif
+
 	snprintf(buf, 256, "mosquitto-%d", listener->port);
 	SSL_CTX_set_session_id_context(listener->ssl_ctx, (unsigned char *)buf, strlen(buf));