summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon Lees <sflees@suse.de>2016-10-17 13:58:32 +1030
committerSimon Lees <sflees@suse.de>2016-10-17 19:09:18 +1030
commitdbcf8102eff8cbd39adb0387ed1f49004ed38558 (patch)
tree50e3375d298672d0a203a769179faf9c3a21ab69
parenta99b1db32de739fee9ff122b14823d1246278e74 (diff)
ecore_ssl: Use stricter cipher suites
Thanks to Victor Pereira from the SUSE Security team for auditing this and recommending better options. This has been discussed several times but knowone ever got to commiting it.
-rw-r--r--src/lib/ecore_con/ecore_con_ssl.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/ecore_con/ecore_con_ssl.c b/src/lib/ecore_con/ecore_con_ssl.c
index c3338b2..68f61ae 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -1421,10 +1421,10 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *obj,
1421 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx, dh_params)); 1421 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx, dh_params));
1422 DH_free(dh_params); 1422 DH_free(dh_params);
1423 INF("DH params successfully generated and applied!"); 1423 INF("DH params successfully generated and applied!");
1424 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH")); 1424 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
1425 } 1425 }
1426 else if (!svr->use_cert) 1426 else if (!svr->use_cert)
1427 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH")); 1427 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
1428 1428
1429 svr->ssl_prepared = EINA_TRUE; 1429 svr->ssl_prepared = EINA_TRUE;
1430 return ECORE_CON_SSL_ERROR_NONE; 1430 return ECORE_CON_SSL_ERROR_NONE;