X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_openssl.c;h=4cc1db949cd24ab4ca28638c5e99ff486f8ef2c5;hb=d72b5e6870c6210208121e982fee31b114d141ba;hp=2dd55ef8839bfe334c717c896305416543b4608f;hpb=c72ebd29f239793218f2248c3f8b48a7b3e0a541;p=umurmur.git diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c index 2dd55ef..4cc1db9 100644 --- a/src/ssli_openssl.c +++ b/src/ssli_openssl.c @@ -49,7 +49,7 @@ static RSA *rsa; static SSL_CTX *context; static EVP_PKEY *pkey; -static char const * ciphers = "EECDH+AESGCM:AES256-SHA:AES128-SHA"; +static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH"; static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx); @@ -215,14 +215,17 @@ void SSLi_init(void) int i, offset = 0, cipherstringlen = 0; STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL; SSL_CIPHER *cipher; - char *cipherstring; + char *cipherstring = NULL; SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ERR_load_crypto_strings(); - context = SSL_CTX_new(TLSv1_2_server_method()); + context = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); if (context == NULL) { ERR_print_errors_fp(stderr); @@ -268,7 +271,7 @@ void SSLi_init(void) if (cipherlist_new) sk_SSL_CIPHER_free(cipherlist_new); - if (strlen(cipherstring) == 0) + if (!cipherstring || !*cipherstring) Log_fatal("No suitable ciphers found!"); if (SSL_CTX_set_cipher_list(context, cipherstring) == 0) @@ -408,7 +411,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) * it for something special */ if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); Log_warn("issuer= %s", buf); } return 1;