fix #3763: disable renegotiation

requires openssl crate with fix[0], like our packaged one.

0: https://github.com/sfackler/rust-openssl/pull/1584

Tested-by: Stoiko Ivanov s.ivanov@proxmox.com
Reviewed-by: Stoiko Ivanov s.ivanov@proxmox.com
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/Cargo.toml b/Cargo.toml
index 0debfa93709351a1c907e5fb226244586bc87067..1b2488a3ccf814b79c0efe1f564d3f357b363a57 100644 (file)
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -64,7 +64,7 @@ log = "0.4"
 nix = "0.19.1"
 num-traits = "0.2"
 once_cell = "1.3.1"
-openssl = "0.10"
+openssl = "0.10.38" # currently patched!
 pam = "0.7"
 pam-sys = "0.5"
 percent-encoding = "2.1"

diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 07a536873f033f7b40e7929e1bfadbe90a7f943e..5e5babd118945985c426e754dba59b4bf8731a61 100644 (file)
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -348,6 +348,7 @@ fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
         .map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
     acceptor.set_certificate_chain_file(cert_path)
         .map_err(|err| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;
+    acceptor.set_options(openssl::ssl::SslOptions::NO_RENEGOTIATION);
     acceptor.check_private_key().unwrap();
 
     Ok(acceptor.build())