From 93ee9e30d830ed1fc5f0de9bf084db204154a69e Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 13 Dec 2014 01:37:57 +0900
Subject: [PATCH] nghttp, h2load: Use recommended ciphers and assign sane
 SSL_CTX options

---
 src/Makefile.am |  3 ++-
 src/h2load.cc   | 14 ++++++++++++++
 src/nghttp.cc   |  7 +++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 3740c107..e8a324cb 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -73,7 +73,8 @@ HTML_PARSER_OBJECTS += HtmlParser.cc
 endif # HAVE_LIBXML2
 
 nghttp_SOURCES = ${HELPER_OBJECTS} ${HELPER_HFILES} nghttp.cc \
-	${HTML_PARSER_OBJECTS} ${HTML_PARSER_HFILES}
+	${HTML_PARSER_OBJECTS} ${HTML_PARSER_HFILES} \
+	ssl.cc ssl.h
 
 nghttpd_SOURCES = ${HELPER_OBJECTS} ${HELPER_HFILES} nghttpd.cc \
 	ssl.cc ssl.h \
diff --git a/src/h2load.cc b/src/h2load.cc
index 0ce448bc..24656e0f 100644
--- a/src/h2load.cc
+++ b/src/h2load.cc
@@ -904,6 +904,20 @@ int main(int argc, char **argv) {
               << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
     exit(EXIT_FAILURE);
   }
+
+  SSL_CTX_set_options(ssl_ctx,
+                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                          SSL_OP_NO_COMPRESSION |
+                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
+  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
+    std::cerr << "SSL_CTX_set_cipher_list failed: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    exit(EXIT_FAILURE);
+  }
+
   SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
                                    nullptr);
 
diff --git a/src/nghttp.cc b/src/nghttp.cc
index 610776a1..a7184f8b 100644
--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@@ -75,6 +75,7 @@
 #include "base64.h"
 #include "http2.h"
 #include "nghttp2_gzip.h"
+#include "ssl.h"
 
 #ifndef O_BINARY
 #define O_BINARY (0)
@@ -1855,6 +1856,12 @@ int communicate(
                             SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
+      std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
+                << std::endl;
+      result = -1;
+      goto fin;
+    }
     if (!config.keyfile.empty()) {
       if (SSL_CTX_use_PrivateKey_file(ssl_ctx, config.keyfile.c_str(),
                                       SSL_FILETYPE_PEM) != 1) {