forked from enlightenment/efl
ecore_ssl: Use stricter cipher suites
Thanks to Victor Pereira from the SUSE Security team for auditing this and recommending better options. This has been discussed several times but knowone ever got to commiting it.
This commit is contained in:
parent
9b7ac51943
commit
356a1aa87a
|
@ -1421,10 +1421,10 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *obj,
|
|||
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx, dh_params));
|
||||
DH_free(dh_params);
|
||||
INF("DH params successfully generated and applied!");
|
||||
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH"));
|
||||
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
|
||||
}
|
||||
else if (!svr->use_cert)
|
||||
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH"));
|
||||
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
|
||||
|
||||
svr->ssl_prepared = EINA_TRUE;
|
||||
return ECORE_CON_SSL_ERROR_NONE;
|
||||
|
|
Loading…
Reference in New Issue