diff options
author | Felix Fietkau <nbd@openwrt.org> | 2016-01-19 23:30:38 +0100 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-19 23:30:38 +0100 |
commit | 6d8d23739b9015782e6caf3093059639f3beb341 (patch) | |
tree | 7c916e5f0bc76a58b56d2dd2dc8e1eee35c6b7a1 | |
parent | 0c4f5c2493a4a9bbff28efd9661a967fe95e7495 (diff) | |
download | ustream-ssl-6d8d23739b9015782e6caf3093059639f3beb341.tar.gz |
polarssl: enable DHE in default client ciphersuite
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-rw-r--r-- | ustream-polarssl.c | 65 |
1 files changed, 30 insertions, 35 deletions
diff --git a/ustream-polarssl.c b/ustream-polarssl.c index 7135d3c..57b3714 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -249,42 +249,36 @@ __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len) return ret; } +#define TLS_DEFAULT_CIPHERS \ + TLS_CIPHER(AES_256_CBC_SHA256) \ + TLS_CIPHER(AES_256_GCM_SHA384) \ + TLS_CIPHER(AES_256_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA) \ + TLS_CIPHER(AES_128_CBC_SHA256) \ + TLS_CIPHER(AES_128_GCM_SHA256) \ + TLS_CIPHER(AES_128_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA) \ + TLS_CIPHER(3DES_EDE_CBC_SHA) + +static const int default_ciphersuites_nodhe[] = +{ +#define TLS_CIPHER(v) \ + TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER + 0 +}; + static const int default_ciphersuites[] = { -#if defined(POLARSSL_AES_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_256_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ -#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C) - TLS_RSA_WITH_AES_256_GCM_SHA384, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_AES_256_CBC_SHA, -#endif -#if defined(POLARSSL_CAMELLIA_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif -#if defined(POLARSSL_AES_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_128_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ -#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_128_GCM_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_AES_128_CBC_SHA, -#endif -#if defined(POLARSSL_CAMELLIA_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif -#if defined(POLARSSL_DES_C) - TLS_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - 0 +#define TLS_CIPHER(v) \ + TLS_DHE_RSA_WITH_##v, \ + TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER + 0 }; __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) @@ -310,16 +304,17 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) auth = SSL_VERIFY_OPTIONAL; } - ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); ssl_set_authmode(ssl, auth); ssl_set_rng(ssl, _urandom, NULL); if (ctx->server) { + ssl_set_ciphersuites(ssl, default_ciphersuites_nodhe); if (ctx->cert.next) ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL); ssl_set_own_cert(ssl, &ctx->cert, &ctx->key); } else { + ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_ca_chain(ssl, &ctx->ca_cert, NULL, NULL); } |