[glib-openssl] Only TLSv1.2 or higher
- From: Paolo Borelli <pborelli src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-openssl] Only TLSv1.2 or higher
- Date: Thu, 5 Oct 2017 08:58:33 +0000 (UTC)
commit bdcd263d172db05d0c31de6c8ed2f8d6fab207c3
Author: Paolo Borelli <pborelli gnome org>
Date: Tue Oct 3 17:56:02 2017 +0200
Only TLSv1.2 or higher
Also tweak the ciphers list according to recomendations and
enforce server order. This makes the testssl.sh tool happier.
tls/openssl/gtlsserverconnection-openssl.c | 31 +++++++++++++++------------
1 files changed, 17 insertions(+), 14 deletions(-)
---
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index cd98128..faafd3e 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -46,25 +46,25 @@ enum
};
static const gchar DEFAULT_CIPHER_LIST[] =
- "ECDHE-RSA-AES128-SHA:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-ECDSA-AES128-SHA:"
+ "ECDHE-ECDSA-AES128-SHA256:"
+ "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES256-GCM-SHA384:"
+ "ECDHE-RSA-AES128-SHA:"
"ECDHE-RSA-AES128-SHA256:"
+ "ECDHE-ECDSA-AES256-SHA:"
+ "ECDHE-ECDSA-AES256-SHA384:"
+ "ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-SHA:"
"ECDHE-RSA-AES256-SHA384:"
- "AES128-SHA:"
"AES128-GCM-SHA256:"
- "AES256-GCM-SHA384:"
"AES128-SHA256:"
- "AES256-SHA:"
+ "AES128-SHA:"
+ "AES256-GCM-SHA384:"
"AES256-SHA256:"
- "DHE-RSA-AES128-SHA:"
- "DHE-RSA-AES128-GCM-SHA256:"
- "DHE-RSA-AES256-GCM-SHA384:"
- "DHE-RSA-AES128-SHA256:"
- "DHE-RSA-AES256-SHA:"
- "DHE-RSA-AES256-SHA256:"
- "DES-CBC3-SHA";
+ "AES256-SHA"
+;
static void g_tls_server_connection_openssl_initable_interface_init (GInitableIface *iface);
@@ -251,11 +251,14 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
return FALSE;
}
+ /* Only TLS 1.2 or higher */
options = SSL_OP_NO_TICKET |
+ SSL_OP_CIPHER_SERVER_PREFERENCE |
SSL_OP_NO_SSLv2 |
- SSL_OP_NO_SSLv3;
+ SSL_OP_NO_SSLv3 |
+ SSL_OP_NO_TLSv1 |
+ SSL_OP_NO_TLSv1_1;
- /* Only TLS 1.0 or higher */
SSL_CTX_set_options (priv->ssl_ctx, options);
cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]