* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
- SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+ SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE
+#ifdef SSL_OP_SINGLE_DH_USE
+ | SSL_OP_SINGLE_DH_USE
+#endif
+ );
+ SSL_CTX_set_session_id_context(ssl_server_ctx,
+ (const unsigned char *)"libratbox", 9);
+ SSL_CTX_set_cipher_list(ssl_server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL");
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
and bastardise their OpenSSL for stupid reasons... */
#if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1)
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
and bastardise their OpenSSL for stupid reasons... */
#if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1)
- SSL_CTX_set_tmp_ecdh(ssl_server_ctx, EC_KEY_new_by_curve_name(NID_secp384r1));
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (key) {
+ SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
+ EC_KEY_free(key);
+ }
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
+#endif
- rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
+ rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
SSLeay_version(SSLEAY_VERSION),
(long)OPENSSL_VERSION_NUMBER, SSLeay());
}
SSLeay_version(SSLEAY_VERSION),
(long)OPENSSL_VERSION_NUMBER, SSLeay());
}