Disable SSL renegotiation This disables ssl renegotiaion based on the potential DOS attack here: https://www.cvedetails.com/cve/CVE-2011-1473/ Tested: testssl shows it as disabled https://github.com/drwetter/testssl.sh validator passed Fixes https://github.com/openbmc/openbmc/issues/3624 Change-Id: I4bfbd770d25ba5d1a7292421f1ccad2b2e73d3a6 Signed-off-by: James Feist <james.feist@linux.intel.com>

commit: 6a3e18261cc713409bf11382c472c7301d6d9770 [log] [tgz]
author: James Feist <james.feist@linux.intel.com> Wed Nov 06 13:46:35 2019 -0800
committer: James Feist <james.feist@linux.intel.com> Tue Nov 12 19:32:43 2019 +0000
tree: ea6dd9db206139d9946c840d8bffcc0a35968d42
parent: be380cb11299957665d061b65df4afe03e4218d1 [diff] [blame]
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 84aa097..f61aa6b 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp

@@ -315,6 +315,8 @@
 
     mSslContext->set_verify_mode(boost::asio::ssl::verify_peer);
 
+    SSL_CTX_set_options(mSslContext->native_handle(), SSL_OP_NO_RENEGOTIATION);
+
     BMCWEB_LOG_DEBUG << "Using default TrustStore location: " << trustStorePath;
     mSslContext->add_verify_path(trustStorePath);
commit	6a3e18261cc713409bf11382c472c7301d6d9770	[log] [tgz]
author	James Feist <james.feist@linux.intel.com>	Wed Nov 06 13:46:35 2019 -0800
committer	James Feist <james.feist@linux.intel.com>	Tue Nov 12 19:32:43 2019 +0000
tree	ea6dd9db206139d9946c840d8bffcc0a35968d42
parent	be380cb11299957665d061b65df4afe03e4218d1 [diff] [blame]