diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2016-07-13 16:30:49 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-07-13 16:30:49 +0000 |
| commit | d0bbaa08d1670a014759055bfdfdf78d5b608943 (patch) | |
| tree | 0f919c2090b7355739e3f584027dea022f93f8a8 /lib/libtls/tls_internal.h | |
| parent | 546eb1fb1ca7df1c59c3816d5fa27879e1800314 (diff) | |
Split the existing TLS cipher suite groups into four:
"secure" (TLSv1.2+AEAD+PFS)
"compat" (HIGH:!aNULL)
"legacy" (HIGH:MEDIUM:!aNULL)
"insecure" (ALL:!aNULL:!eNULL)
This allows for flexibility and finer grained control, rather than having
two extremes (an issue raised by Marko Kreen some time ago).
ok beck@ tedu@
Diffstat (limited to 'lib/libtls/tls_internal.h')
| -rw-r--r-- | lib/libtls/tls_internal.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 886ee1151ff..6c56e6fb848 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.31 2016/07/07 14:09:03 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.32 2016/07/13 16:30:48 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -26,8 +26,10 @@ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" -#define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL" #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" +#define TLS_CIPHERS_COMPAT "HIGH:!aNULL" +#define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" +#define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" union tls_addr { struct in_addr ip4; |