enable tls renegotiation in reverse proxy and have config option to d…

…isable (#1912)
TykTechnologies · Sep 25, 2018 · 5dafcff · 5dafcff
1 parent a0afb8b
commit 5dafcff
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/config/config.go b/config/config.go
@@ -284,6 +284,7 @@ type Config struct {
 	ProxySSLMinVersion                uint16                                `json:"proxy_ssl_min_version"`
 	ProxySSLCipherSuites              []string                              `json:"proxy_ssl_ciphers"`
 	ProxyDefaultTimeout               int                                   `json:"proxy_default_timeout"`
+	ProxySSLDisableRenegotiation      bool                                  `json:"proxy_ssl_disable_renegotiation"`
 	LogLevel                          string                                `json:"log_level"`
 	Security                          SecurityConfig                        `json:"security"`
 	EnableKeyLogging                  bool                                  `json:"enable_key_logging"`

diff --git a/reverse_proxy.go b/reverse_proxy.go
@@ -470,6 +470,10 @@ func httpTransport(timeOut int, rw http.ResponseWriter, req *http.Request, p *Re
 		transport.TLSClientConfig.CipherSuites = getCipherAliases(p.TykAPISpec.Proxy.Transport.SSLCipherSuites)
 	}
 
+	if !config.Global().ProxySSLDisableRenegotiation {
+		transport.TLSClientConfig.Renegotiation = tls.RenegotiateFreelyAsClient
+	}
+
 	// Use the default unless we've modified the timout
 	if timeOut > 0 {
 		log.Debug("Setting timeout for outbound request to: ", timeOut)