Browse Source

!!!Incompatible TlsSettings!!!
Restricted to safe ciphers

Marcos Dumay de Medeiros 8 years ago
parent
commit
ee4b5be7c0
1 changed files with 10 additions and 2 deletions
  1. 10 2
      src/System/IO/Uniform/ds.c

+ 10 - 2
src/System/IO/Uniform/ds.c

@@ -16,6 +16,9 @@
 #include "ds.h"
 
 int openSslLoaded = 0;
+char *availableCiphers = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:"
+  "+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:"
+  "!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA";
 
 void *clear(void *ptr){
   int e = errno;
@@ -227,9 +230,9 @@ tlsDs startSockTls(ds d, const char *cert, const char *key, const char *dh){
   loadOpenSSL(dh);
   SSL_CTX * ctx = NULL;
   if(d->server)
-    ctx = SSL_CTX_new(TLSv1_server_method());
+    ctx = SSL_CTX_new(TLSv1_1_server_method());
   else
-    ctx = SSL_CTX_new(TLSv1_client_method());
+    ctx = SSL_CTX_new(TLSv1_1_client_method());
   if(!ctx)
     return NULL;
   if(d->server){
@@ -256,6 +259,11 @@ tlsDs startSockTls(ds d, const char *cert, const char *key, const char *dh){
       closeFd(f);
       return clear(ctx);
     }
+  if(SSL_CTX_set_cipher_list(ctx, availableCiphers) <= 0){
+      int f = prepareToClose(d);
+      closeFd(f);
+      return clear(ctx);
+  }
   tlsDs t = (tlsDs)malloc(sizeof(s_tlsDs));
   t->original = d;
   if(!(t->s = SSL_new(ctx))){