openssl: Improve security using options recommanded by Argure.
Note that these are not available in old versions of OpenSSL (like FreeBSD 9.x base OpenSSL), so allow them to be missing. A side effect may be slightly higher CPU consumption and network traffic.
This commit is contained in:
Jilles Tjoelker
parent
9799bea4a1
commit
362ef2d9ee
|
|
@ -312,7 +312,14 @@ rb_init_ssl(void)
|
|||
ret = 0;
|
||||
}
|
||||
/* Disable SSLv2, make the client use our settings */
|
||||
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||
#ifdef SSL_OP_NO_COMPRESSION
|
||||
| SSL_OP_NO_COMPRESSION
|
||||
#endif
|
||||
#ifdef SSL_OP_SINGLE_DH_USE
|
||||
| SSL_OP_SINGLE_DH_USE
|
||||
#endif
|
||||
);
|
||||
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
|
||||
SSL_CTX_set_session_id_context(ssl_server_ctx,
|
||||
(const unsigned char *)"libratbox", 9);
|
||||
|
|
@ -322,6 +329,9 @@ rb_init_ssl(void)
|
|||
and bastardise their OpenSSL for stupid reasons... */
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1)
|
||||
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, EC_KEY_new_by_curve_name(NID_secp384r1));
|
||||
#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
|
||||
|
|
|
|||
Loading…
Reference in a new issue