summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2015-02-22 14:50:42 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2015-02-22 14:50:42 +0000
commitae65412c26bdc7b50f00739529d3d98fefc6e07a (patch)
tree13a0153b52fd84d2ce226f5ca1b5143a2c1cc874
parent6c22a7b3a71e3a9b8d27c9165cfa295d2193df66 (diff)
In the interests of being secure by default, make the default TLS ciphers
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that allows the previous default ciphers to be selected. Discussed with tedu@ during s2k15.
-rw-r--r--lib/libtls/tls_config.c14
-rw-r--r--lib/libtls/tls_internal.h5
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index bec7afcb1b1..80242861c7b 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.6 2015/02/12 04:35:17 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.7 2015/02/22 14:50:41 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -74,6 +74,10 @@ tls_config_new(void)
}
tls_config_set_dheparams(config, "none");
tls_config_set_ecdhecurve(config, "auto");
+ if (tls_config_set_ciphers(config, "secure") != 0) {
+ tls_config_free(config);
+ return (NULL);
+ }
tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
tls_config_set_verify_depth(config, 6);
@@ -201,6 +205,14 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
int
tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
{
+ if (ciphers == NULL ||
+ strcasecmp(ciphers, "default") == 0 ||
+ strcasecmp(ciphers, "secure") == 0)
+ ciphers = TLS_CIPHERS_DEFAULT;
+ else if (strcasecmp(ciphers, "compat") == 0 ||
+ strcasecmp(ciphers, "legacy") == 0)
+ ciphers = TLS_CIPHERS_COMPAT;
+
return set_string(&config->ciphers, ciphers);
}
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 78e6b1fe2bf..d1ba48ea1a0 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -25,6 +25,9 @@
#define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
+#define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL"
+#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+
struct tls_config {
const char *ca_file;
const char *ca_path;