From 362ef2d9eecf3d4bcf93ed0d486e2e5d0352e9f4 Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Wed, 15 Jan 2014 22:25:26 +0100 Subject: [PATCH] openssl: Improve security using options recommanded by Argure. Note that these are not available in old versions of OpenSSL (like FreeBSD 9.x base OpenSSL), so allow them to be missing. A side effect may be slightly higher CPU consumption and network traffic. --- libratbox/src/openssl.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c index c1992f23..a94c0935 100644 --- a/libratbox/src/openssl.c +++ b/libratbox/src/openssl.c @@ -312,7 +312,14 @@ rb_init_ssl(void) ret = 0; } /* Disable SSLv2, make the client use our settings */ - SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE); + SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE +#ifdef SSL_OP_NO_COMPRESSION + | SSL_OP_NO_COMPRESSION +#endif +#ifdef SSL_OP_SINGLE_DH_USE + | SSL_OP_SINGLE_DH_USE +#endif + ); SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); SSL_CTX_set_session_id_context(ssl_server_ctx, (const unsigned char *)"libratbox", 9); @@ -322,6 +329,9 @@ rb_init_ssl(void) and bastardise their OpenSSL for stupid reasons... */ #if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1) SSL_CTX_set_tmp_ecdh(ssl_server_ctx, EC_KEY_new_by_curve_name(NID_secp384r1)); +#ifdef SSL_OP_SINGLE_ECDH_USE + SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE); +#endif #endif ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());