simotek pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=356a1aa87a04a8d1c43e01fa861270d0947069c0
commit 356a1aa87a04a8d1c43e01fa861270d0947069c0
Author: Simon Lees <sfl...@suse.de>
Date: Mon Oct 17 13:58:32 2016 +1030
ecore_ssl: Use stricter cipher suites
Thanks to Victor Pereira from the SUSE Security team for auditing
this and recommending better options.
This has been discussed several times but knowone ever got to
commiting it.
---
src/lib/ecore_con/ecore_con_ssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/ecore_con/ecore_con_ssl.c
b/src/lib/ecore_con/ecore_con_ssl.c
index 7297474..b6e2c98 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -1421,10 +1421,10 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server
*obj,
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx,
dh_params));
DH_free(dh_params);
INF("DH params successfully generated and applied!");
- SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH"));
+ SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
}
else if (!svr->use_cert)
- SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH"));
+ SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
svr->ssl_prepared = EINA_TRUE;
return ECORE_CON_SSL_ERROR_NONE;
--
