mirror of
https://github.com/matrix-construct/construct
synced 2024-10-15 12:09:21 +02:00
libratbox/openssl: Set explicit cipher list for the client context aswell
This is in furtherance of commits9799bea4
and1f384464
and addresses any potential vulnerability to LogJam <https://weakdh.org/>
This commit is contained in:
parent
c86f11da1c
commit
cb266283f8
1 changed files with 4 additions and 1 deletions
|
@ -302,6 +302,7 @@ rb_init_ssl(void)
|
||||||
{
|
{
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
char libratbox_data[] = "libratbox data";
|
char libratbox_data[] = "libratbox data";
|
||||||
|
const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
|
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
|
||||||
|
@ -343,7 +344,7 @@ rb_init_ssl(void)
|
||||||
SSL_CTX_set_options(ssl_server_ctx, server_options);
|
SSL_CTX_set_options(ssl_server_ctx, server_options);
|
||||||
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
|
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
|
||||||
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
|
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
|
||||||
SSL_CTX_set_cipher_list(ssl_server_ctx, "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL");
|
SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
|
||||||
|
|
||||||
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
|
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
|
||||||
and bastardise their OpenSSL for stupid reasons... */
|
and bastardise their OpenSSL for stupid reasons... */
|
||||||
|
@ -372,6 +373,8 @@ rb_init_ssl(void)
|
||||||
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
|
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue