This fixes CVE-2011-1473 and CVE-2011-5094 by disabling renegotiation in TLSv1.2 and earlier for server context.
Signed-off-by: Martin Schiller <[email protected]> --- ustream-openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ustream-openssl.c b/ustream-openssl.c index 6dae4ae..9d8d1bc 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -157,6 +157,8 @@ __ustream_ssl_context_new(bool server) SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); #endif + SSL_CTX_set_options(c, SSL_OP_NO_RENEGOTIATION); + SSL_CTX_set_cipher_list(c, server_cipher_list); } else { SSL_CTX_set_cipher_list(c, client_cipher_list); -- 2.20.1 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
