Hi Willy, On 1/21/19 6:38 PM, Dirkjan Bussink wrote: > Hi Emeric, > >> On 21 Jan 2019, at 08:06, Emeric Brun <[email protected]> wrote: >> >> Interesting, it would be good to skip the check using the same method. >> >> We must stay careful to not put the OP_NO_RENEG flag on the client part >> (when haproxy connects to server), because reneg from server is authorized >> but i think infocbk is called only on frontend/accept side. >> >> so a patch which do: >> >> #ifdef SSL_OP_NO_RENEGOTIATION >> SSL_set_options(ctx, SSL_OP_NO_RENEGOTIATION); >> #endif >> >> without condition during init >> >> and adding #ifndef SSL_OP_NO_RENEGOTIATION arround the CVE check, should fix >> the issue mentionned about keyupdate and will fix the CVE using the clean >> way if the version >> of openssl support. > > I have implemented this and attached the patch for it. What do you think of > this approach? > > Cheers, > > Dirkjan Bussink > I think you can merge this.
Thx Dirkjan. R, Emeric
