diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2016-11-02 09:33:47 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-11-02 09:33:47 +0000 |
commit | 370da566a4fd4d744c356c70b2cd6ec7dc1fd75c (patch) | |
tree | 77e1ea02d9c40c3290e2f2f91a51192b1871e341 | |
parent | 6bb05f934e5bbb820c5e342ff3ee13cd6e9bb273 (diff) |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher
suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher
suite - given who we're talking to one would hope that they meet these
requirements...
ok benno@ deraadt@ florian@
-rw-r--r-- | usr.sbin/acme-client/http.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c index 552886b52e6..bde5e1a9be4 100644 --- a/usr.sbin/acme-client/http.c +++ b/usr.sbin/acme-client/http.c @@ -1,4 +1,4 @@ -/* $Id: http.c,v 1.13 2016/10/04 15:49:42 jsing Exp $ */ +/* $Id: http.c,v 1.14 2016/11/02 09:33:46 jsing Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -135,16 +135,10 @@ http_init() goto err; } - tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL); - if (-1 == tls_config_set_ca_file(tlscfg, DEFAULT_CA_FILE)) { warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg)); goto err; } - if (-1 == tls_config_set_ciphers(tlscfg, "compat")) { - warn("tls_config_set_ciphers: %s", tls_config_error(tlscfg)); - goto err; - } return (0); |