[Spice-commits] 2 commits - server/reds.cpp server/red-stream.cpp

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Mon Dec 7 14:43:59 UTC 2020 

 server/red-stream.cpp |    5 +++++
 server/reds.cpp       |    4 ++++
 2 files changed, 9 insertions(+)

New commits:
commit 95a0cfac8a1c8eff50f05e65df945da3bb501fc9
Author: Julien Ropé <jrope at redhat.com>
Date:   Thu Dec 3 09:33:48 2020 +0100

    With OpenSSL 1.0.2 and earlier: disable client-side renegotiation.
    
    Fixed issue #49
    Fixes BZ#1904459
    
    Signed-off-by: Julien Ropé <jrope at redhat.com>
    Reported-by: BlackKD
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/red-stream.cpp b/server/red-stream.cpp
index 420433bd..c1f0f00c 100644
--- a/server/red-stream.cpp
+++ b/server/red-stream.cpp
@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
         return RED_STREAM_SSL_STATUS_OK;
     }
 
+#ifndef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
+    stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+#endif
+
     ssl_error = SSL_get_error(stream->priv->ssl, return_code);
     if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
                               ssl_error == SSL_ERROR_WANT_WRITE)) {
commit ca5bbc5692e052159bce1a75f55dc60b36078749
Author: Julien Ropé <jrope at redhat.com>
Date:   Wed Dec 2 13:39:27 2020 +0100

    With OpenSSL 1.1: Disable client-initiated renegotiation.
    
    Fixes issue #49
    Fixes BZ#1904459
    
    Signed-off-by: Julien Ropé <jrope at redhat.com>
    Reported-by: BlackKD
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/reds.cpp b/server/reds.cpp
index fe69508e..f61086cb 100644
--- a/server/reds.cpp
+++ b/server/reds.cpp
@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds)
      * When some other SSL/TLS version becomes obsolete, add it to this
      * variable. */
     long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
+#ifdef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
+    ssl_options |= SSL_OP_NO_RENEGOTIATION;
+#endif
 
     /* Global system initialization*/
     openssl_global_init();

More information about the Spice-commits mailing list