ssl: Use more secure options

author TingPing <redacted>

Wed, 5 Nov 2014 07:17:34 +0000 (02:17 -0500)

committer TingPing <redacted>

Sat, 22 Nov 2014 04:28:09 +0000 (23:28 -0500)
author TingPing <redacted>
Wed, 5 Nov 2014 07:17:34 +0000 (02:17 -0500)
committer TingPing <redacted>
Sat, 22 Nov 2014 04:28:09 +0000 (23:28 -0500)
diff --git a/src/common/ssl.c b/src/common/ssl.c

index e257d7d8be894eeafb3c5cd2770c5ca8de0be126..f0097c17531e55b88d6fd8081b656c0741c1cfba 100644 (file)
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -39,6 +39,11 @@
  #include <glib/gprintf.h>
  #include "util.h"
  
+/* If openssl was built without ec */
+#ifndef SSL_OP_SINGLE_ECDH_USE
+#define SSL_OP_SINGLE_ECDH_USE 0
+#endif
+
  /* globals */
  static struct chiper_info chiper_info;         /* static buffer for _SSL_get_cipher_info() */
  static char err_buf[256];                      /* generic error buffer */
@@ -84,6 +89,11 @@ _SSL_context_init (void (*info_cb_func), int server)
  
         SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
         SSL_CTX_set_timeout (ctx, 300);
+       SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
+                                                         |SSL_OP_NO_COMPRESSION
+                                                         |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
+                                                         |SSL_OP_NO_TICKET
+                                                         |SSL_OP_CIPHER_SERVER_PREFERENCE);
  
         /* used in SSL_connect(), SSL_accept() */
         SSL_CTX_set_info_callback (ctx, info_cb_func);
author	TingPing <redacted>
	Wed, 5 Nov 2014 07:17:34 +0000 (02:17 -0500)
committer	TingPing <redacted>
	Sat, 22 Nov 2014 04:28:09 +0000 (23:28 -0500)