Here's a quick demonstration of what I'm talking about with net/prosody, using
testssl.sh[1]:
$ testssl.sh -t xmpp -R example.com:5222
[ snip... ]
Testing for Renegotiation vulnerabilities
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS
threat
I've found this issue in two ports so far (net/prosody, telephony/coturn) and
suspect it may be in others due to the nature of the problem, which I'll get
into more in a moment. Upstream for net/prosody patched it May 12th of 2021[2],
so I was led to believe that it might be a local problem.
net/prosody relies on security/luasec to deal with TLS. In certmanager.lua[3],
it's
clear that it means to disable renegotiation based on these two lines in the
source (in different sections).
no_renegotiation = test_option("no_renegotiation");
no_renegotiation = luasec_has.options.no_renegotiation;
However, the problem is that security/luasec expects the option to be named
SSL_OP_NO_RENEGOTIATION and it's actually named SSL_OP_NO_CLIENT_RENEGOTIATION
in the OpenBSD source tree. This is shown in options.c[4] and in
lib/libssl/ssl.h[5].
#if defined(SSL_OP_NO_RENEGOTIATION)
{"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
#endif
/* Disallow client initiated renegotiation. */
#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L
Though, in the case of security/luasec, there's a promising comment in options.c
that says:
/* If you need to generate these options again, see options.lua */
As I said before, I'm making an educated guess that some other ports may have
this issue as well. In fact, even the OpenBSD source tree has some mentions of
SSL_OP_NO_RENEGOTIATION in unbound and nsd sections (I'm using textproc/ripgrep
from ports to search here).
$ rg 'SSL_OP_NO_RENEGOTIATION'
usr.sbin/unbound/smallapp/unbound-control.c
541:#if defined(SSL_OP_NO_RENEGOTIATION)
543: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
544: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
545: ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
usr.sbin/unbound/util/net_help.c
992:#if defined(SSL_OP_NO_RENEGOTIATION)
994: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
995: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
996: log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1228:#if defined(SSL_OP_NO_RENEGOTIATION)
1230: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1231: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1232: log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
usr.sbin/nsd/server.c
2006:#if defined(SSL_OP_NO_RENEGOTIATION)
2008: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
2009: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
2010: log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
usr.sbin/nsd/nsd-control.c
187:#if defined(SSL_OP_NO_RENEGOTIATION)
189: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
190: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
191: ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
sbin/unwind/libunbound/util/net_help.c
992:#if defined(SSL_OP_NO_RENEGOTIATION)
994: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
995: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
996: log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1228:#if defined(SSL_OP_NO_RENEGOTIATION)
1230: if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1231: SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1232: log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
I don't exactly know what the best way to deal with this is, but I felt it was
important to bring to people's attention nonetheless.
[1]: https://github.com/drwetter/testssl.sh
[2]: https://prosody.im/security/advisory_20210512/
[3]: https://hg.prosody.im/0.12/file/tip/core/certmanager.lua
[4]: https://github.com/brunoos/luasec/blob/v1.0.1/src/options.c
[5]:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libssl/ssl.h?rev=1.230&content-type=text/plain
