nghttpx: Set our own default cipher list
This commit is contained in:
parent
59c10ea4c2
commit
8c6f3d1054
|
@ -194,16 +194,22 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
|
|||
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
|
||||
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
||||
|
||||
const char *ciphers;
|
||||
if(get_config()->ciphers) {
|
||||
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list failed: "
|
||||
ciphers = get_config()->ciphers;
|
||||
// If ciphers are given, honor its order unconditionally
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
} else {
|
||||
ciphers = "HIGH:!aNULL:!eNULL";
|
||||
if(get_config()->honor_cipher_order) {
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
}
|
||||
}
|
||||
if(SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers << " failed: "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
} else if(get_config()->honor_cipher_order) {
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
|
||||
|
@ -337,13 +343,17 @@ SSL_CTX* create_ssl_client_context()
|
|||
create_tls_proto_mask(get_config()->tls_proto_list,
|
||||
get_config()->tls_proto_list_len));
|
||||
|
||||
const char *ciphers;
|
||||
if(get_config()->ciphers) {
|
||||
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list failed: "
|
||||
ciphers = get_config()->ciphers;
|
||||
} else {
|
||||
ciphers = "HIGH:!aNULL:!eNULL";
|
||||
}
|
||||
if(SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers << " failed: "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
}
|
||||
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
|
|
Loading…
Reference in New Issue