-
-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unbound accept client initiated renegotiation #49
Comments
Thanks for the check! The code did not have the SSL_OP_NO_RENEGOTIATION set on the context. The option requires an up to date version of openssl, but then I set it on all the SSL contexts. |
I also fixed this in NSD, by the way. NLnetLabs/nsd@68742ad |
Confirm fixed (at least sslyze no longer report the issue). Any chance to release a new version with this included since this has the potential of being used to do DoS? |
* nlnet/master: - Fix question section mismatch in local zone redirect. Fixup space in error message. - Fix NLnetLabs#49: Set no renegotiation on the SSL context to stop client session renegotiation. - Fix NLnetLabs#48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed. - Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific. - Fix for possible assertion failure when answering respip CNAME from cache.
Result:
The text was updated successfully, but these errors were encountered: