diff options
| author |   jsing <jsing@openbsd.org> | 2015-02-22 14:50:41 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2015-02-22 14:50:41 +0000 |
| commit | 85f64a89748b46b713def1004eded57a7aff1fad (patch) | |
| tree | f483656830b13e28c073cac5ede934ea8a0099b3 /lib/libtls | |
| parent | Correct PAGE_MASK usage in radeon_vm_map_gart(). Linux defines (diff) | |
| download | wireguard-openbsd-85f64a89748b46b713def1004eded57a7aff1fad.tar.xz wireguard-openbsd-85f64a89748b46b713def1004eded57a7aff1fad.zip | |
In the interests of being secure by default, make the default TLS ciphers
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
Diffstat (limited to 'lib/libtls')
| -rw-r--r-- | lib/libtls/tls_config.c | 14 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 5 |
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index bec7afcb1b1..80242861c7b 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.6 2015/02/12 04:35:17 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.7 2015/02/22 14:50:41 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -74,6 +74,10 @@ tls_config_new(void) } tls_config_set_dheparams(config, "none"); tls_config_set_ecdhecurve(config, "auto"); + if (tls_config_set_ciphers(config, "secure") != 0) { + tls_config_free(config); + return (NULL); + } tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); tls_config_set_verify_depth(config, 6); @@ -201,6 +205,14 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, int tls_config_set_ciphers(struct tls_config *config, const char *ciphers) { + if (ciphers == NULL || + strcasecmp(ciphers, "default") == 0 || + strcasecmp(ciphers, "secure") == 0) + ciphers = TLS_CIPHERS_DEFAULT; + else if (strcasecmp(ciphers, "compat") == 0 || + strcasecmp(ciphers, "legacy") == 0) + ciphers = TLS_CIPHERS_COMPAT; + return set_string(&config->ciphers, ciphers); } diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 78e6b1fe2bf..d1ba48ea1a0 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -25,6 +25,9 @@ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" +#define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL" +#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" + struct tls_config { const char *ca_file; const char *ca_path; |