-/* Copyright (C) 2015, Felix Morgner <felix.morgner@gmail.com>
+/* Copyright (C) 2015-2016, Felix Morgner <felix.morgner@gmail.com>
All rights reserved.
#include "ssl.h"
#include "conf.h"
#include "log.h"
+#include "memory.h"
#include <stdlib.h>
static gnutls_dh_params_t dhParameters;
static gnutls_certificate_credentials_t certificate;
-static const char * ciphers = "NORMAL";
+static const char * ciphers = "NONE:"
+ "+ECDHE-ECDSA:+ECDHE-RSA:+RSA:"
+ "+AES-256-GCM:+AES-128-GCM:"
+ "+AEAD:+SHA384:+SHA256:+SHA1:"
+ "+CURVE-ALL:"
+ "+COMP-NULL:"
+ "+SIGN-ALL:"
+ "+VERS-TLS1.2:+VERS-TLS1.0:"
+ "+CTYPE-X509";
+
static gnutls_priority_t cipherCache;
void initializeCertificate()
if( error != GNUTLS_E_SUCCESS ) {
Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
}
-
}
void SSLi_init()
{
- unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
-
- gnutls_dh_params_init(&dhParameters);
- gnutls_dh_params_generate2(dhParameters, bitCount);
-
-#if GNUTLS_VERSION_NUMBER < 0x030300
- gnutls_global_init();
-#endif
-
- gnutls_priority_init(&cipherCache, ciphers, NULL);
+ if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
+ {
+ Log_fatal("Failed to set priorities");
+ }
initializeCertificate();
Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
-
}
void SSLi_deinit()
SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
{
- gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
+ gnutls_session_t * session
+ = Memory_safeCalloc(1, sizeof(gnutls_session_t));
gnutls_init(session, GNUTLS_SERVER);
gnutls_priority_set(*session, cipherCache);