nghttp, h2load: Use recommended ciphers and assign sane SSL_CTX options

2014-12-13 01:37:57 +09:00 · 2014-12-13 01:37:57 +09:00 · 93ee9e30d8
parent a84c319d62
commit 93ee9e30d8
3 changed files with 23 additions and 1 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -73,7 +73,8 @@ HTML_PARSER_OBJECTS += HtmlParser.cc
 endif # HAVE_LIBXML2

 nghttp_SOURCES = ${HELPER_OBJECTS} ${HELPER_HFILES} nghttp.cc \
-	${HTML_PARSER_OBJECTS} ${HTML_PARSER_HFILES}
+	${HTML_PARSER_OBJECTS} ${HTML_PARSER_HFILES} \
+	ssl.cc ssl.h

 nghttpd_SOURCES = ${HELPER_OBJECTS} ${HELPER_HFILES} nghttpd.cc \
 	ssl.cc ssl.h \
--- a/src/h2load.cc
+++ b/src/h2load.cc
@ -904,6 +904,20 @@ int main(int argc, char **argv) {
              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
    exit(EXIT_FAILURE);
  }
+
+  SSL_CTX_set_options(ssl_ctx,
+                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                          SSL_OP_NO_COMPRESSION |
+                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
+  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
+    std::cerr << "SSL_CTX_set_cipher_list failed: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    exit(EXIT_FAILURE);
+  }
+
  SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
                                   nullptr);

--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@ -75,6 +75,7 @@
 #include "base64.h"
 #include "http2.h"
 #include "nghttp2_gzip.h"
+#include "ssl.h"

 #ifndef O_BINARY
 #define O_BINARY (0)
@ -1855,6 +1856,12 @@ int communicate(
                            SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
+      std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
+                << std::endl;
+      result = -1;
+      goto fin;
+    }
    if (!config.keyfile.empty()) {
      if (SSL_CTX_use_PrivateKey_file(ssl_ctx, config.keyfile.c_str(),
                                      SSL_FILETYPE_PEM) != 1) {