[glib-openssl: 5/7] Go back to a less restrictive cipher list
- From: Ignacio Casal Quinteiro <icq src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-openssl: 5/7] Go back to a less restrictive cipher list
- Date: Thu, 26 Oct 2017 07:04:07 +0000 (UTC)
commit f7d5f0bb57794645eba32e264a88b6f0f93129c8
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date: Tue Oct 24 16:27:09 2017 +0200
Go back to a less restrictive cipher list
But allow to set the cipher list that one needs by setting the
env var G_TLS_OPENSSL_CIPHER_LIST.
This will help to users to set the required cipher list without
having to recompile the module.
tls/openssl/gtlsclientconnection-openssl.c | 19 +++++++++++++-
tls/openssl/gtlsserverconnection-openssl.c | 39 ++++++++++++---------------
2 files changed, 35 insertions(+), 23 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 9a60400..89c6f24 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -41,6 +41,8 @@
#include "gtlscertificate-openssl.h"
#include <glib/gi18n-lib.h>
+#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
+
typedef struct _GTlsClientConnectionOpensslPrivate
{
GTlsCertificateFlags validation_flags;
@@ -414,6 +416,21 @@ generate_session_id (const SSL *ssl,
return 1;
}
+static void
+set_cipher_list (GTlsClientConnectionOpenssl *client)
+{
+ GTlsClientConnectionOpensslPrivate *priv;
+ const gchar *cipher_list;
+
+ priv = g_tls_client_connection_openssl_get_instance_private (client);
+
+ cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
+ if (cipher_list == NULL)
+ cipher_list = DEFAULT_CIPHER_LIST;
+
+ SSL_CTX_set_cipher_list (priv->ssl_ctx, cipher_list);
+}
+
static gboolean
g_tls_client_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
@@ -466,7 +483,7 @@ g_tls_client_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_set_client_cert_cb (priv->ssl_ctx, retrieve_certificate);
- SSL_CTX_set_cipher_list (priv->ssl_ctx, "HIGH:!DSS:!aNULL@STRENGTH");
+ set_cipher_list (client);
priv->ssl = SSL_new (priv->ssl_ctx);
if (priv->ssl == NULL)
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index 9551b9e..1ef4349 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -45,26 +45,7 @@ enum
PROP_AUTHENTICATION_MODE
};
-static const gchar DEFAULT_CIPHER_LIST[] =
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-ECDSA-AES128-SHA:"
- "ECDHE-ECDSA-AES128-SHA256:"
- "ECDHE-ECDSA-AES256-GCM-SHA384:"
- "ECDHE-RSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-SHA:"
- "ECDHE-RSA-AES128-SHA256:"
- "ECDHE-ECDSA-AES256-SHA:"
- "ECDHE-ECDSA-AES256-SHA384:"
- "ECDHE-RSA-AES256-GCM-SHA384:"
- "ECDHE-RSA-AES256-SHA:"
- "ECDHE-RSA-AES256-SHA384:"
- "AES128-GCM-SHA256:"
- "AES128-SHA256:"
- "AES128-SHA:"
- "AES256-GCM-SHA384:"
- "AES256-SHA256:"
- "AES256-SHA"
-;
+#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
static void g_tls_server_connection_openssl_initable_interface_init (GInitableIface *iface);
@@ -240,6 +221,21 @@ ssl_info_callback (const SSL *ssl,
}
}
+static void
+set_cipher_list (GTlsServerConnectionOpenssl *server)
+{
+ GTlsServerConnectionOpensslPrivate *priv;
+ const gchar *cipher_list;
+
+ priv = g_tls_server_connection_openssl_get_instance_private (server);
+
+ cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
+ if (cipher_list == NULL)
+ cipher_list = DEFAULT_CIPHER_LIST;
+
+ SSL_CTX_set_cipher_list (priv->ssl_ctx, cipher_list);
+}
+
static gboolean
g_tls_server_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
@@ -325,8 +321,7 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_add_session (priv->ssl_ctx, priv->session);
- SSL_CTX_set_cipher_list (priv->ssl_ctx, DEFAULT_CIPHER_LIST);
-
+ set_cipher_list (server);
SSL_CTX_set_info_callback (priv->ssl_ctx, ssl_info_callback);
priv->ssl = SSL_new (priv->ssl_ctx);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
