From d142ed8a32ff349a4ae050fd602f206e9a92995f Mon Sep 17 00:00:00 2001
From: Christian Zentgraf <kitgocz@gmail.com>
Date: Thu, 5 Dec 2024 16:09:41 -0500
Subject: [PATCH] Fix CVE-2011-1473 by disabling client renegotiation

The upstream airlift fixed the security vulnerability
with PR https://github.com/airlift/airlift/pull/1293

This is a backport of the fix.

Co-authored-by:  "Mateusz \"Serafin\" Gajewski" <github@wendigo.pl>
---
 .../main/java/com/facebook/airlift/http/server/HttpServer.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java b/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java
index afde06d977..51da7ad03d 100644
--- a/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java
+++ b/http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java
@@ -256,6 +256,7 @@ public HttpServer(HttpServerInfo httpServerInfo,
             sslContextFactory.setWantClientAuth(true);
             sslContextFactory.setSslSessionTimeout((int) config.getSslSessionTimeout().getValue(SECONDS));
             sslContextFactory.setSslSessionCacheSize(config.getSslSessionCacheSize());
+            sslContextFactory.setRenegotiationAllowed(false);
             SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
 
             Integer acceptors = config.getHttpsAcceptorThreads();