sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-06 17:30:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

[tls] Disable renegotiation unless extended master secret is used

Browse Source 
RFC 7627 states that renegotiation becomes no longer secure under
various circumstances when the non-extended master secret is used.
The description of the precise set of circumstances is spread across
various points within the document and is not entirely clear.

Avoid a superset of the circumstances in which renegotiation
apparently becomes insecure by refusing renegotiation completely
unless the extended master secret is used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2025-10-12 22:37:49 +01:00
parent 57504353fe
commit e80818e4f6
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/net/tls.c
View File

@@ -2082,7 +2082,7 @@ static int tls_new_hello_request ( struct tls_connection *tls,
} }
/* Fail unless server supports secure renegotiation */ /* Fail unless server supports secure renegotiation */
if ( ! tls->secure_renegotiation ) { if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n", DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
tls ); tls );
return -EPERM_RENEG_INSECURE; return -EPERM_RENEG_INSECURE;