diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index d37ce115b..bf9d88bc1 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -67,6 +67,21 @@ /** maximum number of X509 certificates in chain for TLS connection */ #define MAX_CERTS 10 +/* the ciphersuites we are willing to use */ +#define CIPHER_LIST \ + /* disable everything */ \ + "-ALL:" \ + /* enable TLSv1.2 PFS suites */ \ + "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \ + /* enable PFS AES GCM suites */ \ + "EECDH+AESGCM:EDH+AESGCM:" \ + /* Enable PFS AES CBC suites */ \ + "EECDH+AES:EDH+AES:" \ + /* Enable non-PFS fallback suite */ \ + "AES128-SHA:" \ + /* Remove any PFS suites using weak DSA key exchange */ \ + "-DSS" + /** SSL certificate info */ struct cert_info { X509 *cert; /**< Pointer to certificate */ @@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif + /* Disable TLS1.2 ciphersuites */ + SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); @@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void) SETOPT(CURLOPT_LOW_SPEED_TIME, 180L); SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout)); + SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) {