Fix CVE-2011-1473 by disabling client renegotiation

The upstream airlift fixed the security vulnerability with PR airlift#1293 This is a backport of the fix. Co-authored-by: "Mateusz \"Serafin\" Gajewski" <[email protected]>
prestodb · Jan 2, 2025 · d142ed8 · d142ed8
1 parent f039442
commit d142ed8
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java b/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java
@@ -256,6 +256,7 @@ public HttpServer(HttpServerInfo httpServerInfo,
             sslContextFactory.setWantClientAuth(true);
             sslContextFactory.setSslSessionTimeout((int) config.getSslSessionTimeout().getValue(SECONDS));
             sslContextFactory.setSslSessionCacheSize(config.getSslSessionCacheSize());
+            sslContextFactory.setRenegotiationAllowed(false);
             SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
 
             Integer acceptors = config.getHttpsAcceptorThreads();