From a0bcbd873a067958da13aa881446913ba6c83762 Mon Sep 17 00:00:00 2001
From: "Czarnowski, Przemyslaw" <przemyslaw.hawrylewicz.czarnowski@intel.com>
Date: Wed, 19 May 2021 12:28:03 +0200
Subject: Forbid redirection of https resources

Due to security reasons (by security researcher recommendation) remote
source redirections shouldn't be allowed in order to disallow connection
downgrading

Tested:
Tested with python server script forcing redirection

Change-Id: Ia68884dbcc399abc685dcbcf4e205aa62356478f
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
---
 src/state/activating_state.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index b76ef12..6cf9f68 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -266,6 +266,7 @@ std::unique_ptr<resource::Process>
                                        // custom OpenBMC path for CA
                                        "capath=/etc/ssl/certs/authority",
                                        "ssl-version=tlsv1.2",
+                                       "followlocation=false",
                                        "ssl-cipher-list=ALL:!eNULL:!aNULL:"
                                        "!AES256-GCM-SHA384:!AES128-GCM-SHA256:"
                                        "!AES256-SHA256:!AES128-SHA256"};
-- 
cgit v1.2.3