diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-22 14:50:42 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-22 14:50:42 +0000 |
| commit | ae65412c26bdc7b50f00739529d3d98fefc6e07a (patch) | |
| tree | 13a0153b52fd84d2ce226f5ca1b5143a2c1cc874 /lib/libtls/tls_internal.h | |
| parent | 6c22a7b3a71e3a9b8d27c9165cfa295d2193df66 (diff) | |
In the interests of being secure by default, make the default TLS ciphers
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
Diffstat (limited to 'lib/libtls/tls_internal.h')
| -rw-r--r-- | lib/libtls/tls_internal.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 78e6b1fe2bf..d1ba48ea1a0 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -25,6 +25,9 @@ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" +#define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL" +#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" + struct tls_config { const char *ca_file; const char *ca_path; |