BSecureSocket: use opt-out to select ciphersuites.

We just want to disable known broken ones, rather than opt-in for working ones. This keeps the list of authentications shorter and is more future proof.
2017-11-20 09:27:03 +01:00 · 2017-11-20 09:27:03 +01:00 · d1805b9a36
commit d1805b9a36
parent c312da45a8
1 changed files with 3 additions and 17 deletions
--- a/src/kits/network/libnetapi/SecureSocket.cpp
+++ b/src/kits/network/libnetapi/SecureSocket.cpp
@ -332,24 +332,10 @@ BSecureSocket::Private::_CreateContext()
 	SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY);

 	// Setup cipher suites.
-	// These suites are mostly the same ones used by Firefox 47 and Chrome 50.
-	SSL_CTX_set_cipher_list(sContext,
-		"ECDHE-ECDSA-AES128-GCM-SHA256:"
-		"ECDHE-RSA-AES128-GCM-SHA256:"
-		"ECDHE-ECDSA-AES256-GCM-SHA384:"
-		"ECDHE-RSA-AES256-GCM-SHA384:"
-		"ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:"
-		"ECDHE-RSA-CHACHA20-POLY1305-SHA256:"
-		"ECDHE-ECDSA-AES256-SHA:"
-		"ECDHE-ECDSA-AES128-SHA:"
-		"ECDHE-RSA-AES128-SHA:"
-		"ECDHE-RSA-AES256-SHA:"
-		"DHE-RSA-AES128-SHA:"
-		"DHE-RSA-AES256-SHA:"
-		"AES128-SHA:"
-		"AES256-SHA");
+	// Only accept reasonably secure ones ("HIGH") and disable some known
+	// broken stuff (https://wiki.openssl.org/index.php/SSL/TLS_Client)
+	SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4");

-	// Let OpenSSL choose the most appropriate D-H curve for us
 	SSL_CTX_set_ecdh_auto(sContext, 1);

 	// Setup certificate verification