Fix CVE-2011-1473 by disabling client renegotiation

The upstream airlift fixed the security vulnerability with PR airlift#1293 This is a backport of the fix. Co-authored-by: "Mateusz \"Serafin\" Gajewski" <[email protected]>
prestodb · Jan 29, 2025 · d497a42 · d497a42
1 parent 7d522c2
commit d497a42
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java b/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java
@@ -256,6 +256,7 @@ public HttpServer(HttpServerInfo httpServerInfo,
             sslContextFactory.setWantClientAuth(true);
             sslContextFactory.setSslSessionTimeout((int) config.getSslSessionTimeout().getValue(SECONDS));
             sslContextFactory.setSslSessionCacheSize(config.getSslSessionCacheSize());
+            sslContextFactory.setRenegotiationAllowed(false);
             SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
 
             Integer acceptors = config.getHttpsAcceptorThreads();