diff options
| author | Eneas U de Queiroz <cotequeiroz@gmail.com> | 2019-08-05 17:07:47 -0300 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2019-08-17 15:36:10 +0200 |
| commit | 7e9e269312ac67ce9706120f91739aeff73e2701 (patch) | |
| tree | 6ef22c51565a7eb5ee17ca7c43bbbe4532d09152 | |
| parent | 738e8d2489fc64f782affd1292388c66f6d69e82 (diff) | |
| download | ustream-ssl-7e9e269312ac67ce9706120f91739aeff73e2701.tar.gz | |
wolfssl, openssl: use TLS 1.3, set ciphersuites
For wolfssl, instead of hard-coding TLS 1.2, use generic method and
disable older protocols, adding the necessary ciphersuites.
Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering
needs a separate call, so this sets the ciphersuite preference when
using TLS 1.3.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
| -rw-r--r-- | ustream-openssl.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/ustream-openssl.c b/ustream-openssl.c index 7c72ce1..3810d6a 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -33,6 +33,21 @@ * aes128, aes256, 3DES(client only) */ +#ifdef WOLFSSL_SSL_H +# define top_ciphers \ + "TLS13-CHACHA20-POLY1305-SHA256:" \ + "TLS13-AES128-GCM-SHA256:" \ + "TLS13-AES256-GCM-SHA384:" \ + ecdhe_ciphers +#else +# define tls13_ciphersuites "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256:" \ + "TLS_AES_256_GCM_SHA384" + +# define top_ciphers \ + ecdhe_ciphers +#endif + #define ecdhe_ciphers \ "ECDHE-ECDSA-CHACHA20-POLY1305:" \ "ECDHE-ECDSA-AES128-GCM-SHA256:" \ @@ -60,11 +75,11 @@ "AES256-SHA" #define server_cipher_list \ - ecdhe_ciphers ":" \ + top_ciphers ":" \ non_pfs_aes #define client_cipher_list \ - ecdhe_ciphers ":" \ + top_ciphers ":" \ dhe_ciphers ":" \ non_pfs_aes ":" \ "DES-CBC3-SHA" @@ -83,7 +98,7 @@ __ustream_ssl_context_new(bool server) SSL_library_init(); _init = true; } -# define TLS_server_method TLSv1_2_server_method +# define TLS_server_method SSLv23_server_method # define TLS_client_method SSLv23_client_method #endif @@ -101,10 +116,15 @@ __ustream_ssl_context_new(bool server) SSL_OP_CIPHER_SERVER_PREFERENCE); #if defined(SSL_CTX_set_ecdh_auto) && OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(c, 1); +#elif OPENSSL_VERSION_NUMBER >= 0x10101000L + SSL_CTX_set_ciphersuites(c, tls13_ciphersuites); #endif if (server) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION); +#else + SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | + SSL_OP_NO_TLSv1_1); #endif SSL_CTX_set_cipher_list(c, server_cipher_list); } else { |