simotek pushed a commit to branch efl-1.18.
http://git.enlightenment.org/core/efl.git/commit/?id=dbcf8102eff8cbd39adb0387ed1f49004ed38558
commit dbcf8102eff8cbd39adb0387ed1f49004ed38558
Author: Simon Lees <sfl...@suse.de>
Date: Mon Oct 17 13:58:32 2016 +1030
ecore_ssl: Use stricter cipher suites
Thanks to Victor Pereira from the SUSE Security team for auditing
this and recommending better options.
This has been discussed several times but knowone ever got to
commiting it.
---
src/lib/ecore_con/ecore_con_ssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/ecore_con/ecore_con_ssl.c
b/src/lib/ecore_con/ecore_con_ssl.c
index c3338b2..68f61ae 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -1421,10 +1421,10 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server
*obj,
SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx,
dh_params));
DH_free(dh_params);
INF("DH params successfully generated and applied!");
- SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH"));
+ SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
}
else if (!svr->use_cert)
- SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH"));
+ SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx,
"aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5"));
svr->ssl_prepared = EINA_TRUE;
return ECORE_CON_SSL_ERROR_NONE;
--
