[squid-dev] [PATCH] TLS: Disable client-initiated renegotiation

Paulo Matias matias at ufscar.br
Thu Jun 4 18:51:39 UTC 2015 

Hi all,

This patch disables client-initiated renegotiation, mitigating a DoS attack
which might be possible with some builds of the OpenSSL library.  We have been
warned about this when testing our service with the Qualys SSL Test
(https://www.ssllabs.com/ssltest) back when it was running in a Debian wheezy
system. Further information is available at:
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
Our solution is similar to the one adopted in pureftpd:
https://github.com/jedisct1/pure-ftpd/blob/549e94aaa093a48622efd6d91fdfb3a4236c13f4/src/tls.c#L106

This was previously posted to squid-users, but modified since then to implement
Amos's suggestions:

> * please avoid #ifdef and #ifndef in new code.
> - use #if defined() style instead.
> * please wrap the entire ssl_info_cb() definition in the #if
> conditionals and the appropriate calling lines.

We welcome any additional suggestions or comments.

Best regards,
Paulo Matias


-------------- next part --------------
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2015-06-03 10:42:08 +0000
+++ src/ssl/support.cc	2015-06-04 12:59:30 +0000
@@ -823,12 +823,28 @@
     return dh;
 }
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+static void
+ssl_info_cb(const SSL *ssl, int where, int ret)
+{
+    (void)ret;
+    if ((where & SSL_CB_HANDSHAKE_DONE) != 0) {
+        // disable renegotiation (CVE-2009-3555)
+        ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+    }
+}
+#endif
+
 static bool
 configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port)
 {
     int ssl_error;
     SSL_CTX_set_options(sslContext, port.sslOptions);
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (port.sslContextSessionId)
         SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId));
 
@@ -1045,6 +1061,10 @@
 
     SSL_CTX_set_options(sslContext, Ssl::parse_options(options));
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (*cipher) {
         debugs(83, 5, "Using chiper suite " << cipher << ".");

More information about the squid-dev mailing list