Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher

suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher
suite - given who we're talking to one would hope that they meet these
requirements...

ok benno@ deraadt@ florian@

1 files changed, 1 insertions, 7 deletions

diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c
index 552886b52e6..bde5e1a9be4 100644
--- a/usr.sbin/acme-client/http.c
+++ b/usr.sbin/acme-client/http.c
@@ -1,4 +1,4 @@
-/*	$Id: http.c,v 1.13 2016/10/04 15:49:42 jsing Exp $ */
+/*	$Id: http.c,v 1.14 2016/11/02 09:33:46 jsing Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -135,16 +135,10 @@ http_init()
 		goto err;
 	}
 
-	tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
-
 	if (-1 == tls_config_set_ca_file(tlscfg, DEFAULT_CA_FILE)) {
 		warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg));
 		goto err;
 	}
-	if (-1 == tls_config_set_ciphers(tlscfg, "compat")) {
-		warn("tls_config_set_ciphers: %s", tls_config_error(tlscfg));
-		goto err;
-	}
 
 	return (0);