diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-02-24 15:48:55 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-02-24 15:48:55 +0000 |
commit | dea580a9986dc2431d84eb0bc9d0d21ad14781cf (patch) | |
tree | b55cf3fb10f00f1c04c3a75abad663e7980161da /usr.sbin/relayd/relay.c | |
parent | 008c5403bf676c8c15de14562f346b2408425e99 (diff) |
disable SSLv2 and use "HIGH" crypto cipher suites by default.
suggested by dlg@
Diffstat (limited to 'usr.sbin/relayd/relay.c')
-rw-r--r-- | usr.sbin/relayd/relay.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 6078d36d891..00d82e90b2f 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay) { struct protocol *proto = rlay->proto; SSL_CTX *ctx; - char certfile[PATH_MAX], hbuf[128]; + char certfile[PATH_MAX], hbuf[128], *ciphers = NULL; ctx = SSL_CTX_new(SSLv23_method()); if (ctx == NULL) @@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); /* Change the default SSL cipher suite, if specified */ - if (proto->sslciphers != NULL) { - log_debug("relay_ssl_ctx_create: ciphers '%s'", - proto->sslciphers); - if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers)) - goto err; - } + if ((ciphers = proto->sslciphers) == NULL) + ciphers = SSLCIPHERS_DEFAULT; + if (!SSL_CTX_set_cipher_list(ctx, ciphers)) + goto err; if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL) goto err; |