Set a better default ciphers list if none was specified. master
authorWerner Koch <wk@gnupg.org>
Mon, 30 Jan 2017 16:09:22 +0000 (17:09 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 30 Jan 2017 16:11:01 +0000 (17:11 +0100)
config.c

index e54b63c..813cff5 100644 (file)
--- a/config.c
+++ b/config.c
@@ -92,6 +92,16 @@ static char *xhttp[] = {
     "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT|RPC_IN_DATA|RPC_OUT_DATA) ([^ ]+) HTTP/1.[01]$",
 };
 
+
+#define DEFAULT_CIPHERS_LIST ("EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:"  \
+                              "EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:"  \
+                              "EECDH:EDH+AESGCM:EDH+aRSA:"             \
+                              "+AES128:+3DES:3DES:"                    \
+                              "!aNULL:!eNULL:!LOW:!EXP:"               \
+                              "!MD5:!KRB5:!PSK:!SRP:"                  \
+                              "!DSS:!SEED:!RC4:!CAMELLIA")
+
+
 static int  log_level = 1;
 static int  def_facility = LOG_DAEMON;
 static int  clnt_to = 10;
@@ -935,7 +945,7 @@ parse_HTTPS(void)
     LISTENER            *res;
     SERVICE             *svc;
     MATCHER             *m;
-    int                 has_addr, has_port, has_other;
+    int                 has_addr, has_port, has_other, has_ciphers;
     long                ssl_op_enable, ssl_op_disable;
     struct hostent      *host;
     struct sockaddr_in  in;
@@ -964,7 +974,7 @@ parse_HTTPS(void)
     res->log_level = log_level;
     if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
         conf_err("xHTTP bad default pattern - aborted");
-    has_addr = has_port = has_other = 0;
+    has_addr = has_port = has_other = has_ciphers = 0;
     while(conf_fgets(lin, MAXBUF)) {
         if(strlen(lin) > 0 && lin[strlen(lin) - 1] == '\n')
             lin[strlen(lin) - 1] = '\0';
@@ -1189,6 +1199,7 @@ parse_HTTPS(void)
             lin[matches[1].rm_eo] = '\0';
             for(pc = res->ctx; pc; pc = pc->next)
                 SSL_CTX_set_cipher_list(pc->ctx, lin + matches[1].rm_so);
+            has_ciphers = 1;
         } else if(!regexec(&CAlist, lin, 4, matches, 0)) {
             STACK_OF(X509_NAME) *cert_names;
 
@@ -1263,6 +1274,8 @@ parse_HTTPS(void)
                 SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
                 SSL_CTX_set_options(pc->ctx, ssl_op_enable);
                 SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
+                if (!has_ciphers)
+                    SSL_CTX_set_cipher_list(pc->ctx, DEFAULT_CIPHERS_LIST);
                 sprintf(lin, "%d-Pound-%ld", getpid(), random());
                 SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin));
                 SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback);