Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BSecureSocket: Explicitly set the list of ciphersuites.

Browse Source 
OpenSSL's default cipherlist has a lot of spurious and arguably insecure
suites left in it for compatibility reasons. We have no need for all that,
so let's just use the suites Firefox/Chrome do.
This commit is contained in:
Augustin Cavalier 2016-07-16 14:47:17 -04:00
parent 7cdea13cf9
commit 44ffe7c28f
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/kits/network/libnetapi/SecureSocket.cpp
View File

@ -192,6 +192,24 @@ BSecureSocket::Private::_CreateContext()
// Don't bother us with ERROR_WANT_READ. // Don't bother us with ERROR_WANT_READ.
SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY);
// Setup cipher suites.
// These suites are mostly the same ones used by Firefox 47 and Chrome 50.
SSL_CTX_set_cipher_list(sContext,
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:"
"ECDHE-RSA-CHACHA20-POLY1305-SHA256:"
"ECDHE-ECDSA-AES256-SHA:"
"ECDHE-ECDSA-AES128-SHA:"
"ECDHE-RSA-AES128-SHA:"
"ECDHE-RSA-AES256-SHA:"
"DHE-RSA-AES128-SHA:"
"DHE-RSA-AES256-SHA:"
"AES128-SHA:"
"AES256-SHA");
// Setup certificate verification // Setup certificate verification
BPath certificateStore; BPath certificateStore;
find_directory(B_SYSTEM_DATA_DIRECTORY, &certificateStore); find_directory(B_SYSTEM_DATA_DIRECTORY, &certificateStore);