summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2016-11-02 09:33:47 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2016-11-02 09:33:47 +0000
commit370da566a4fd4d744c356c70b2cd6ec7dc1fd75c (patch)
tree77e1ea02d9c40c3290e2f2f91a51192b1871e341
parent6bb05f934e5bbb820c5e342ff3ee13cd6e9bb273 (diff)
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher
suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements... ok benno@ deraadt@ florian@
-rw-r--r--usr.sbin/acme-client/http.c8
1 files changed, 1 insertions, 7 deletions
diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c
index 552886b52e6..bde5e1a9be4 100644
--- a/usr.sbin/acme-client/http.c
+++ b/usr.sbin/acme-client/http.c
@@ -1,4 +1,4 @@
-/* $Id: http.c,v 1.13 2016/10/04 15:49:42 jsing Exp $ */
+/* $Id: http.c,v 1.14 2016/11/02 09:33:46 jsing Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -135,16 +135,10 @@ http_init()
goto err;
}
- tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
-
if (-1 == tls_config_set_ca_file(tlscfg, DEFAULT_CA_FILE)) {
warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg));
goto err;
}
- if (-1 == tls_config_set_ciphers(tlscfg, "compat")) {
- warn("tls_config_set_ciphers: %s", tls_config_error(tlscfg));
- goto err;
- }
return (0);