nghttpd: Use cipher suites recommended by Mozilla

This commit is contained in:
Tatsuhiro Tsujikawa 2014-06-28 15:28:19 +09:00
parent d318e6a62e
commit a3334bb21c
4 changed files with 12 additions and 8 deletions

View File

@ -58,6 +58,7 @@ extern "C" {
#include "app_helper.h"
#include "http2.h"
#include "util.h"
#include "ssl.h"
#ifndef O_BINARY
# define O_BINARY (0)
@ -1664,7 +1665,7 @@ int HttpServer::run()
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_cipher_list(ssl_ctx, "HIGH:!aNULL:!MD5");
SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST);
const unsigned char sid_ctx[] = "nghttpd";

View File

@ -51,6 +51,7 @@
#include "shrpx_accesslog.h"
#include "shrpx_worker.h"
#include "util.h"
#include "ssl.h"
using namespace nghttp2;
@ -58,12 +59,6 @@ namespace shrpx {
namespace ssl {
// Recommended general purpose "Non-Backward Compatible" cipher by
// mozilla.
//
// https://wiki.mozilla.org/Security/Server_Side_TLS
#define DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
namespace {
int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
void *arg)
@ -250,7 +245,7 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
if(get_config()->ciphers) {
ciphers = get_config()->ciphers.get();
} else {
ciphers = DEFAULT_CIPHER_LIST;
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

View File

@ -35,6 +35,12 @@ namespace nghttp2 {
namespace ssl {
// Recommended general purpose "Non-Backward Compatible" cipher by
// mozilla.
//
// https://wiki.mozilla.org/Security/Server_Side_TLS
const char* const DEFAULT_CIPHER_LIST = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
namespace {
std::vector<std::mutex> ssl_global_locks;
} // namespace

View File

@ -38,6 +38,8 @@ public:
LibsslGlobalLock& operator=(const LibsslGlobalLock&) = delete;
};
extern const char* const DEFAULT_CIPHER_LIST;
} // namespace ssl
} // namespace nghttp2