X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_openssl.c;h=009119d6280dddda18d0b46d754e029e3970f8f7;hb=d017730cd2eb7eeb219e7fb975cce7c7c377b195;hp=ee839b8e39412fb084e7f4e1d02e75367ffb3449;hpb=a1a0ba19a94a1bfe3c40629aa9c5f3a4b23db3ee;p=umurmur.git

diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c
index ee839b8..009119d 100644
--- a/src/ssli_openssl.c
+++ b/src/ssli_openssl.c
@@ -49,6 +49,8 @@ static RSA *rsa;
 static SSL_CTX *context;
 static EVP_PKEY *pkey;
 
+static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH";
+
 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
 
 static int SSL_add_ext(X509 * crt, int nid, char *value) {
@@ -159,7 +161,7 @@ static void SSL_initializeCert() {
 	char *key = (char *)getStrConf(KEY);
 
 	if (context) {
-		bool did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
+		bool_t did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
 		rsa = SSL_readprivatekey(key);
 
 		if (!rsa || !did_load_cert) {
@@ -221,12 +223,21 @@ void SSLi_init(void)
 	ERR_load_crypto_strings();
 
 	context = SSL_CTX_new(SSLv23_server_method());
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
 	if (context == NULL)
 	{
 		ERR_print_errors_fp(stderr);
 		abort();
 	}
 
+	SSL_CTX_set_cipher_list(context, ciphers);
+
+	EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	SSL_CTX_set_tmp_ecdh(context, ecdhkey);
+	EC_KEY_free(ecdhkey);
+
 	char const * sslCAPath = getStrConf(CAPATH);
 	if(sslCAPath != NULL)
 	{