*/
#undef EXPERIMENTAL
-/* Default SSL/TLS cipherlist.
+/* Default SSL/TLS cipherlist (except for TLS1.3, see further down).
* This can be changed via set::ssl::options::ciphers in the config file.
*/
#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-256-GCM-SHA384 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"
+/* Default TLS 1.3 ciphersuites.
+ * This can be changed via set::ssl::options::ciphersuites in the config file.
+ */
+#define UNREALIRCD_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256"
+
/* Default SSL/TLS curves for ECDH(E)
* This can be changed via set::ssl::options::ecdh-curve in the config file.
* NOTE: This requires openssl 1.0.2 or newer, otherwise these defaults
snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
i->ssl_options->trusted_ca_file = strdup(tmp);
i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
+ i->ssl_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
i->ssl_options->protocols = SSL_PROTOCOL_ALL;
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
{
CheckNull(cepp);
}
+ else if (!strcmp(cepp->ce_varname, "ciphersuites"))
+ {
+ CheckNull(cepp);
+ }
else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
{
CheckNull(cepp);
safefree(ssloptions->dh_file);
safefree(ssloptions->trusted_ca_file);
safefree(ssloptions->ciphers);
+ safefree(ssloptions->ciphersuites);
memset(ssloptions, 0, sizeof(SSLOptions));
MyFree(ssloptions);
}
safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file);
ssloptions->protocols = tempiConf.ssl_options->protocols;
safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers);
+ safestrdup(ssloptions->ciphersuites, tempiConf.ssl_options->ciphersuites);
safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves);
ssloptions->options = tempiConf.ssl_options->options;
ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes;
if (!strcmp(cepp->ce_varname, "ciphers") || !strcmp(cepp->ce_varname, "server-cipher-list"))
{
safestrdup(ssloptions->ciphers, cepp->ce_vardata);
- } else
- if (!strcmp(cepp->ce_varname, "ecdh-curves"))
+ }
+ else if (!strcmp(cepp->ce_varname, "ciphersuites"))
+ {
+ safestrdup(ssloptions->ciphersuites, cepp->ce_vardata);
+ }
+ else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
{
safestrdup(ssloptions->ecdh_curves, cepp->ce_vardata);
}
goto fail;
}
+#ifdef SSL_OP_NO_TLSv1_3
+ if (SSL_CTX_set_ciphersuites(ctx, ssloptions->ciphersuites) == 0)
+ {
+ config_warn("Failed to set SSL ciphersuites list");
+ config_report_ssl_error();
+ goto fail;
+ }
+#endif
+
if (!cipher_check(ctx, &errstr))
{
config_warn("There is a problem with your SSL/TLS 'ciphers' configuration setting: %s", errstr);