icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Disable TLS renegotiation and fix compile error on OpenBSD

Open Al2Klimov opened this issue 1 year ago • 3 comments

@sthen Ok?

Al2Klimov avatar Dec 19 '23 14:12 Al2Klimov

ok with me!

sthen avatar Dec 22 '23 13:12 sthen

That's the neat part, you don't! It's already the default. https://github.com/libressl/portable/blob/68ad61fd6d199607af327188c2dad0779f98fa46/ChangeLog#L2316-L2318

Al2Klimov avatar Dec 22 '23 14:12 Al2Klimov

Actually, despite what I thought, v2.14.0 from ports allows renegotiation by default:

    Verify return code: 19 (self signed certificate in certificate chain)
---
R
RENEGOTIATING
depth=1 CN = aklimov-openbsd.my.domain
verify error:num=19:self signed certificate in certificate chain
verify return:0
R
RENEGOTIATING
depth=1 CN = aklimov-openbsd.my.domain
verify error:num=19:self signed certificate in certificate chain
verify return:0
closed
aklimov-openbsd#

However with

--- lib/base/tlsutility.cpp
+++ lib/base/tlsutility.cpp
@@ -90,5 +90,5 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
 	long flags = SSL_CTX_get_options(sslContext);

-	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_CLIENT_RENEGOTIATION;

 	SSL_CTX_set_options(sslContext, flags);

under patches/:

    Verify return code: 19 (self signed certificate in certificate chain)
---
R
RENEGOTIATING
14177350148600:error:1400444C:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert no renegotiation:/usr/src/lib/libssl/ssl_pkt.c:753:SSL alert number 100
14177350148600:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/usr/src/lib/libssl/ssl_pkt.c:495:
aklimov-openbsd#

Al2Klimov avatar Jan 03 '24 12:01 Al2Klimov