These have been troublesome in the past and also today's CVE-2021-3449
DOS is only exploitable if renegotiation is enabled.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_mbedtls.c | 3 +++
src/openvpn/ssl_openssl.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4626e9838..1628a02e3 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1086,6 +1086,9 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
{
mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
}
+ /* Disable renegotiations. OpenVPN has its own mechanism to create whole
+ * new SSL session. And these have been problematic in the past */
+ mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config,
MBEDTLS_SSL_RENEGOTIATION_DISABLED);
/* Disable record splitting (for now). OpenVPN assumes records are sent
* unfragmented, and changing that will require thorough review and
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index d161f48b8..a11ca5b97 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -320,6 +320,9 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int
ssl_flags)
sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
#endif
sslopt |= SSL_OP_NO_COMPRESSION;
+ /* Disable renegotiations. OpenVPN has its own mechanism to create whole
+ * new SSL session. And these have been probelmatic in the past */
+ sslopt |= SSL_OP_NO_RENEGOTIATION;
SSL_CTX_set_options(ctx->ctx, sslopt);
--
2.30.1
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
