Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BSecureSocket: use opt-out to select ciphersuites.

Browse Source 
We just want to disable known broken ones, rather than opt-in for
working ones. This keeps the list of authentications shorter and is more
future proof.
This commit is contained in:
Adrien Destugues 2017-11-20 09:27:03 +01:00
parent c312da45a8
commit d1805b9a36
1 changed files with 3 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/kits/network/libnetapi/SecureSocket.cpp
View File

@ -332,24 +332,10 @@ BSecureSocket::Private::_CreateContext()
SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY);
// Setup cipher suites. // Setup cipher suites.
// These suites are mostly the same ones used by Firefox 47 and Chrome 50. // Only accept reasonably secure ones ("HIGH") and disable some known
SSL_CTX_set_cipher_list(sContext, // broken stuff (https://wiki.openssl.org/index.php/SSL/TLS_Client)
"ECDHE-ECDSA-AES128-GCM-SHA256:" SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4");
"ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:"
"ECDHE-RSA-CHACHA20-POLY1305-SHA256:"
"ECDHE-ECDSA-AES256-SHA:"
"ECDHE-ECDSA-AES128-SHA:"
"ECDHE-RSA-AES128-SHA:"
"ECDHE-RSA-AES256-SHA:"
"DHE-RSA-AES128-SHA:"
"DHE-RSA-AES256-SHA:"
"AES128-SHA:"
"AES256-SHA");
// Let OpenSSL choose the most appropriate D-H curve for us
SSL_CTX_set_ecdh_auto(sContext, 1); SSL_CTX_set_ecdh_auto(sContext, 1);
// Setup certificate verification // Setup certificate verification