diff options
| author | jsing <> | 2015-02-22 14:50:41 +0000 |
|---|---|---|
| committer | jsing <> | 2015-02-22 14:50:41 +0000 |
| commit | c49fca8dd4f1d0079adad807701d66700251010e (patch) | |
| tree | 7253137d4c3e65e046e586640fad6ca2a060765c | |
| parent | 104de82a2457ba4f22f7c242f2b421f13bb3c5f4 (diff) | |
| download | openbsd-c49fca8dd4f1d0079adad807701d66700251010e.tar.gz openbsd-c49fca8dd4f1d0079adad807701d66700251010e.tar.bz2 openbsd-c49fca8dd4f1d0079adad807701d66700251010e.zip | |
In the interests of being secure by default, make the default TLS ciphers
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
| -rw-r--r-- | src/lib/libtls/tls_config.c | 14 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 5 |
2 files changed, 17 insertions, 2 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index bec7afcb1b..80242861c7 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.6 2015/02/12 04:35:17 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.7 2015/02/22 14:50:41 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -74,6 +74,10 @@ tls_config_new(void) | |||
| 74 | } | 74 | } |
| 75 | tls_config_set_dheparams(config, "none"); | 75 | tls_config_set_dheparams(config, "none"); |
| 76 | tls_config_set_ecdhecurve(config, "auto"); | 76 | tls_config_set_ecdhecurve(config, "auto"); |
| 77 | if (tls_config_set_ciphers(config, "secure") != 0) { | ||
| 78 | tls_config_free(config); | ||
| 79 | return (NULL); | ||
| 80 | } | ||
| 77 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); | 81 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); |
| 78 | tls_config_set_verify_depth(config, 6); | 82 | tls_config_set_verify_depth(config, 6); |
| 79 | 83 | ||
| @@ -201,6 +205,14 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, | |||
| 201 | int | 205 | int |
| 202 | tls_config_set_ciphers(struct tls_config *config, const char *ciphers) | 206 | tls_config_set_ciphers(struct tls_config *config, const char *ciphers) |
| 203 | { | 207 | { |
| 208 | if (ciphers == NULL || | ||
| 209 | strcasecmp(ciphers, "default") == 0 || | ||
| 210 | strcasecmp(ciphers, "secure") == 0) | ||
| 211 | ciphers = TLS_CIPHERS_DEFAULT; | ||
| 212 | else if (strcasecmp(ciphers, "compat") == 0 || | ||
| 213 | strcasecmp(ciphers, "legacy") == 0) | ||
| 214 | ciphers = TLS_CIPHERS_COMPAT; | ||
| 215 | |||
| 204 | return set_string(&config->ciphers, ciphers); | 216 | return set_string(&config->ciphers, ciphers); |
| 205 | } | 217 | } |
| 206 | 218 | ||
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 78e6b1fe2b..d1ba48ea1a 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -25,6 +25,9 @@ | |||
| 25 | 25 | ||
| 26 | #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" | 26 | #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" |
| 27 | 27 | ||
| 28 | #define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL" | ||
| 29 | #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" | ||
| 30 | |||
| 28 | struct tls_config { | 31 | struct tls_config { |
| 29 | const char *ca_file; | 32 | const char *ca_file; |
| 30 | const char *ca_path; | 33 | const char *ca_path; |