9pfs/solanum-vs-hackint-and-charybdis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

MbedTLS: Misc security improvements

Browse source 
As a client, require all peers (i.e. other IRC servers) to support secure
renegotiation. Break handshakes with servers that don't. We do not
renegotiate our sessions, but this is the most secure option regardless.

As a client, disable TLS Session Tickets. The server side MbedTLS code
does not have any ticket callbacks configured, so an MbedTLS IRC Server
will not issue tickets -- however, others could. Server connections are
not expected to be short-lived enough to benefit from the usage of tickets,
and their issuance harms forward secrecy.
This commit is contained in:
Aaron Jones 2016-08-31 00:13:56 +00:00
parent cfcd4615ed
commit 036419c344
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
libratbox/src/mbedtls.c
View file

@ -158,6 +158,7 @@ rb_mbedtls_cfg_new(void)
{
rb_lib_log("rb_mbedtls_cfg_new: ssl_config_defaults (server): %s",
rb_get_ssl_strerror_internal(ret));
rb_mbedtls_cfg_decref(cfg);
return NULL;
}
@ -168,6 +169,7 @@ rb_mbedtls_cfg_new(void)
{
rb_lib_log("rb_mbedtls_cfg_new: ssl_config_defaults (client): %s",
rb_get_ssl_strerror_internal(ret));
rb_mbedtls_cfg_decref(cfg);
return NULL;
}
@ -181,6 +183,14 @@ rb_mbedtls_cfg_new(void)
mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
#ifdef MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
mbedtls_ssl_conf_legacy_renegotiation(&cfg->client_cfg, MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE);
#endif
#ifdef MBEDTLS_SSL_SESSION_TICKETS_DISABLED
mbedtls_ssl_conf_session_tickets(&cfg->client_cfg, MBEDTLS_SSL_SESSION_TICKETS_DISABLED);
#endif
return cfg;
}