Merge pull request #1745 from deweerdt/explicitly-disable-client-side…

…-renegotiations Disable renegotiation on client side SSL contexts
h2o · Apr 29, 2018 · ff0d866 · ff0d866
2 parents 08e8bed + 840ee66
commit ff0d866
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/handler/configurator/proxy.c b/lib/handler/configurator/proxy.c
@@ -115,8 +115,14 @@ static int on_config_websocket(h2o_configurator_command_t *cmd, h2o_configurator
 
 static SSL_CTX *create_ssl_ctx(void)
 {
+    long options;
     SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
-    SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+    options = SSL_CTX_get_options(ctx) | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+#ifdef SSL_OP_NO_RENEGOTIATION
+    /* introduced in openssl 1.1.0h */
+    options |= SSL_OP_NO_RENEGOTIATION;
+#endif
+    SSL_CTX_set_options(ctx, options);
     return ctx;
 }