diff options
| author | jsing <> | 2015-02-22 14:50:41 +0000 | 
|---|---|---|
| committer | jsing <> | 2015-02-22 14:50:41 +0000 | 
| commit | 1607f10de0cc9943f49fa1cbf6edb53c60012a4f (patch) | |
| tree | 7253137d4c3e65e046e586640fad6ca2a060765c /src/lib/libtls/tls_config.c | |
| parent | 2a62d537cb9010dd8195073119bceb929c7871f0 (diff) | |
| download | openbsd-1607f10de0cc9943f49fa1cbf6edb53c60012a4f.tar.gz openbsd-1607f10de0cc9943f49fa1cbf6edb53c60012a4f.tar.bz2 openbsd-1607f10de0cc9943f49fa1cbf6edb53c60012a4f.zip | |
In the interests of being secure by default, make the default TLS ciphers
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
Diffstat (limited to 'src/lib/libtls/tls_config.c')
| -rw-r--r-- | src/lib/libtls/tls_config.c | 14 | 
1 files changed, 13 insertions, 1 deletions
| diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index bec7afcb1b..80242861c7 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.6 2015/02/12 04:35:17 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.7 2015/02/22 14:50:41 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -74,6 +74,10 @@ tls_config_new(void) | |||
| 74 | } | 74 | } | 
| 75 | tls_config_set_dheparams(config, "none"); | 75 | tls_config_set_dheparams(config, "none"); | 
| 76 | tls_config_set_ecdhecurve(config, "auto"); | 76 | tls_config_set_ecdhecurve(config, "auto"); | 
| 77 | if (tls_config_set_ciphers(config, "secure") != 0) { | ||
| 78 | tls_config_free(config); | ||
| 79 | return (NULL); | ||
| 80 | } | ||
| 77 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); | 81 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); | 
| 78 | tls_config_set_verify_depth(config, 6); | 82 | tls_config_set_verify_depth(config, 6); | 
| 79 | 83 | ||
| @@ -201,6 +205,14 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, | |||
| 201 | int | 205 | int | 
| 202 | tls_config_set_ciphers(struct tls_config *config, const char *ciphers) | 206 | tls_config_set_ciphers(struct tls_config *config, const char *ciphers) | 
| 203 | { | 207 | { | 
| 208 | if (ciphers == NULL || | ||
| 209 | strcasecmp(ciphers, "default") == 0 || | ||
| 210 | strcasecmp(ciphers, "secure") == 0) | ||
| 211 | ciphers = TLS_CIPHERS_DEFAULT; | ||
| 212 | else if (strcasecmp(ciphers, "compat") == 0 || | ||
| 213 | strcasecmp(ciphers, "legacy") == 0) | ||
| 214 | ciphers = TLS_CIPHERS_COMPAT; | ||
| 215 | |||
| 204 | return set_string(&config->ciphers, ciphers); | 216 | return set_string(&config->ciphers, ciphers); | 
| 205 | } | 217 | } | 
| 206 | 218 | ||
