diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-08-06 16:09:03 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-08-06 16:09:03 +0000 |
| commit | 4dc3cb30ddb8dcde45201b0f2228bf8caa450582 (patch) | |
| tree | 15558c28c893752a8e206337636452de414c0431 | |
| parent | d28c27aa6338648cee63b096c8da46393e60c136 (diff) | |
Configure the default SSL ciphers as HIGH:!aNULL.
ok deraadt@ reyk@
| -rw-r--r-- | usr.sbin/httpd/httpd.h | 6 | ||||
| -rw-r--r-- | usr.sbin/httpd/parse.y | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 4 |
3 files changed, 10 insertions, 4 deletions
diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index 41909705c03..c129860fb97 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.49 2014/08/06 15:08:04 florian Exp $ */ +/* $OpenBSD: httpd.h,v 1.50 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -38,8 +38,9 @@ #define HTTPD_LOGROOT "/logs" #define HTTPD_ACCESS_LOG "access.log" #define HTTPD_ERROR_LOG "error.log" -#define HTTPD_SSL_KEY "/etc/ssl/private/server.key" #define HTTPD_SSL_CERT "/etc/ssl/server.crt" +#define HTTPD_SSL_KEY "/etc/ssl/private/server.key" +#define HTTPD_SSL_CIPHERS "HIGH:!aNULL" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 @@ -373,6 +374,7 @@ struct server_config { char *ssl_cert; off_t ssl_cert_len; char *ssl_cert_file; + char ssl_ciphers[NAME_MAX]; char *ssl_key; off_t ssl_key_len; char *ssl_key_file; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index a2a4107d2cb..accf426c5d4 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.30 2014/08/06 12:56:58 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.31 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -235,6 +235,8 @@ server : SERVER STRING { s->srv_conf.logformat = LOG_FORMAT_COMMON; s->srv_conf.ssl_cert_file = HTTPD_SSL_CERT; s->srv_conf.ssl_key_file = HTTPD_SSL_KEY; + strlcpy(s->srv_conf.ssl_ciphers, HTTPD_SSL_CIPHERS, + sizeof(s->srv_conf.ssl_ciphers)); if (last_server_id == INT_MAX) { yyerror("too many servers defined"); diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 6671b69a8aa..502adbfe0d1 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.36 2014/08/06 15:08:04 florian Exp $ */ +/* $OpenBSD: server.c,v 1.37 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -188,6 +188,8 @@ server_ssl_init(struct server *srv) return (-1); } + ressl_config_set_ciphers(srv->srv_ressl_config, + srv->srv_conf.ssl_ciphers); ressl_config_set_cert_mem(srv->srv_ressl_config, srv->srv_conf.ssl_cert, srv->srv_conf.ssl_cert_len); ressl_config_set_key_mem(srv->srv_ressl_config, |