From dea580a9986dc2431d84eb0bc9d0d21ad14781cf Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Sat, 24 Feb 2007 15:48:55 +0000 Subject: disable SSLv2 and use "HIGH" crypto cipher suites by default. suggested by dlg@ --- usr.sbin/relayd/relay.c | 14 ++++++-------- usr.sbin/relayd/relayd.conf.5 | 18 +++++++++++------- usr.sbin/relayd/relayd.h | 6 ++++-- 3 files changed, 21 insertions(+), 17 deletions(-) (limited to 'usr.sbin/relayd') diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 6078d36d891..00d82e90b2f 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter @@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay) { struct protocol *proto = rlay->proto; SSL_CTX *ctx; - char certfile[PATH_MAX], hbuf[128]; + char certfile[PATH_MAX], hbuf[128], *ciphers = NULL; ctx = SSL_CTX_new(SSLv23_method()); if (ctx == NULL) @@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); /* Change the default SSL cipher suite, if specified */ - if (proto->sslciphers != NULL) { - log_debug("relay_ssl_ctx_create: ciphers '%s'", - proto->sslciphers); - if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers)) - goto err; - } + if ((ciphers = proto->sslciphers) == NULL) + ciphers = SSLCIPHERS_DEFAULT; + if (!SSL_CTX_set_cipher_list(ctx, ciphers)) + goto err; if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL) goto err; diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 4741ad1ed17..67dc4cbb859 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.24 2007/02/24 00:22:32 reyk Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.25 2007/02/24 15:48:54 reyk Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard .\" @@ -517,8 +517,9 @@ Valid options are: .Bl -tag -width Ds .It Ic ciphers Ar string Set the string defining the SSL cipher suite. -If not specified, the default suite defined by the SSL library will be -used. +If not specified, the default value +.Ar HIGH +to force strong crypto cipher suites will be used. See the .Sx CIPHERS section of @@ -536,17 +537,20 @@ will disable the SSL session cache. .Op Ic no .Ic sslv2 .Xc -Enable the SSLv2 protocol. +Enable the SSLv2 protocol, +disabled by default. .It Xo .Op Ic no .Ic sslv3 .Xc -Enable the SSLv3 protocol. +Disable the SSLv3 protocol, +enabled by default. .It Xo .Op Ic no .Ic tlsv1 .Xc -Enable the TLSv1/SSLv3.1 protocol. +Disable the TLSv1/SSLv3.1 protocol, +enabled by default. .El .El .Pp @@ -647,7 +651,7 @@ protocol http_ssl { change "Keep-Alive" to "$TIMEOUT" url hash "sessid" - ssl { no sslv2, ciphers "HIGH" } + ssl { sslv2, ciphers "MEDIUM:HIGH" } } relay sslaccel { diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 1cbf33b45d7..205a1af9027 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.28 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relayd.h,v 1.29 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -396,7 +396,9 @@ enum prototype { #define SSLFLAG_SSLV3 0x02 #define SSLFLAG_TLSV1 0x04 #define SSLFLAG_VERSION 0x07 -#define SSLFLAG_DEFAULT (SSLFLAG_SSLV2|SSLFLAG_SSLV3|SSLFLAG_TLSV1) +#define SSLFLAG_DEFAULT (SSLFLAG_SSLV3|SSLFLAG_TLSV1) + +#define SSLCIPHERS_DEFAULT "HIGH" struct protocol { objid_t id; -- cgit v1.2.3