Hi,
On 25/03/2021 18:44, Arne Schwabe wrote:
> These have been troublesome in the past and also today's CVE-2021-3449
> DOS is only exploitable if renegotiation is enabled.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
What is the practical effect of this change?
With the current code (before this patch) when would OpenSSL/mbedTLS
start a renegotiation on its own?
May it have had any impact on the OpenVPN protocol until now?
Cheers,
> ---
> src/openvpn/ssl_mbedtls.c | 3 +++
> src/openvpn/ssl_openssl.c | 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index 4626e9838..1628a02e3 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -1086,6 +1086,9 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
> {
> mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
> }
> + /* Disable renegotiations. OpenVPN has its own mechanism to create whole
> + * new SSL session. And these have been problematic in the past */
> + mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config,
> MBEDTLS_SSL_RENEGOTIATION_DISABLED);
>
> /* Disable record splitting (for now). OpenVPN assumes records are sent
> * unfragmented, and changing that will require thorough review and
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index d161f48b8..a11ca5b97 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -320,6 +320,9 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned
> int ssl_flags)
> sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
> #endif
> sslopt |= SSL_OP_NO_COMPRESSION;
> + /* Disable renegotiations. OpenVPN has its own mechanism to create whole
> + * new SSL session. And these have been probelmatic in the past */
> + sslopt |= SSL_OP_NO_RENEGOTIATION;
>
> SSL_CTX_set_options(ctx->ctx, sslopt);
>
>
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
