|
|
@@ -100,23 +100,33 @@ OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side)
|
|
|
ERR_error_string(ERR_get_error(), nullptr)));
|
|
|
return;
|
|
|
}
|
|
|
- // Disable SSLv2 and enable all workarounds for buggy servers
|
|
|
- SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2
|
|
|
+ // Disable SSLv2/3 and enable all workarounds for buggy servers
|
|
|
+ SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
|
|
|
+ | SSL_OP_SINGLE_ECDH_USE
|
|
|
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
| SSL_OP_NO_COMPRESSION
|
|
|
#endif // SSL_OP_NO_COMPRESSION
|
|
|
);
|
|
|
SSL_CTX_set_mode(sslCtx_, SSL_MODE_AUTO_RETRY);
|
|
|
SSL_CTX_set_mode(sslCtx_, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
|
|
- #ifdef SSL_MODE_RELEASE_BUFFERS
|
|
|
+#ifdef SSL_MODE_RELEASE_BUFFERS
|
|
|
/* keep memory usage low */
|
|
|
SSL_CTX_set_mode(sslCtx_, SSL_MODE_RELEASE_BUFFERS);
|
|
|
- #endif
|
|
|
+#endif
|
|
|
if(SSL_CTX_set_cipher_list(sslCtx_, "HIGH:!aNULL:!eNULL") == 0) {
|
|
|
good_ = false;
|
|
|
A2_LOG_ERROR(fmt("SSL_CTX_set_cipher_list() failed. Cause: %s",
|
|
|
ERR_error_string(ERR_get_error(), nullptr)));
|
|
|
}
|
|
|
+
|
|
|
+ auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
|
|
+ if(ecdh == nullptr) {
|
|
|
+ A2_LOG_WARN(fmt("Failed to enable ECDHE cipher suites. Cause: %s",
|
|
|
+ ERR_error_string(ERR_get_error(), nullptr)));
|
|
|
+ } else {
|
|
|
+ SSL_CTX_set_tmp_ecdh(sslCtx_, ecdh);
|
|
|
+ EC_KEY_free(ecdh);
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
OpenSSLTLSContext::~OpenSSLTLSContext()
|
Tatsuhiro Tsujikawa