In the interests of being secure by default, make the default TLS ciphers

be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.

Discussed with tedu@ during s2k15.

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 78e6b1fe2b..d1ba48ea1a 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -25,6 +25,9 @@
 
 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 
+#define TLS_CIPHERS_COMPAT      "ALL:!aNULL:!eNULL"
+#define TLS_CIPHERS_DEFAULT     "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+
 struct tls_config {
         const char *ca_file;
         const char *ca_path;