diff --git a/libexec/httpd/CHANGES b/libexec/httpd/CHANGES index 5f0c80c5a8db..1443274e4f80 100644 --- a/libexec/httpd/CHANGES +++ b/libexec/httpd/CHANGES @@ -1,8 +1,11 @@ -$NetBSD: CHANGES,v 1.50 2021/08/24 09:47:36 mrg Exp $ +$NetBSD: CHANGES,v 1.51 2021/08/24 09:53:26 mrg Exp $ changes in bozohttpd 20210824: o new "-m tlsversion" option to set the minimum TLS version available. partially from . + o extend the list of available ciphers to include most of the + openssl "HIGH" with some additional disables. retain the current + list of bad options. should deal with PR#51278. changes in bozohttpd 20210504: o don't assume host BUFSIZ is sufficent. small BUFSIZ leads to diff --git a/libexec/httpd/ssl-bozo.c b/libexec/httpd/ssl-bozo.c index 03bb8be2ef86..d3867fdbd7bb 100644 --- a/libexec/httpd/ssl-bozo.c +++ b/libexec/httpd/ssl-bozo.c @@ -1,4 +1,4 @@ -/* $NetBSD: ssl-bozo.c,v 1.30 2021/08/24 09:47:36 mrg Exp $ */ +/* $NetBSD: ssl-bozo.c,v 1.31 2021/08/24 09:53:26 mrg Exp $ */ /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ @@ -51,10 +51,15 @@ #ifndef BOZO_SSL_CIPHERS #define BOZO_SSL_CIPHERS \ - "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:" \ - "AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:" \ - "AES:" \ - "-SHA:" \ + "HIGH:" \ + "-SHA:-ADH:" \ + "-PSK-AES128-CCM:-PSK-AES256-CCM:" \ + "-DHE-PSK-AES128-CCM8:-DHE-PSK-AES256-CCM8:" \ + "-AES128-CCM8:-AES256-CCM8:" \ + "-DHE-RSA-AES128-CCM8:-DHE-RSA-AES256-CCM8:" \ + "-PSK-AES128-CCM8:-PSK-AES256-CCM8:" \ + "-CAMELLIA128:-CAMELLIA256:" \ + "-RSA-PSK-CHACHA20-POLY1305:" \ "!aNULL:!eNULL:" \ "!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \ "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:" \