X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_openssl.c;h=8ff1bcf41400c02eaef71e85b0a7463e8aff27dd;hb=df8ef01c17eb187a969ca66e749d5a5837df0c3f;hp=de081fa8dac69a61ed0bae4f50122a45ade326c0;hpb=ef99834a4e34039b59394d69b79c1c5540302d22;p=umurmur.git

diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c
index de081fa..8ff1bcf 100644
--- a/src/ssli_openssl.c
+++ b/src/ssli_openssl.c
@@ -33,6 +33,7 @@
 
 #include "conf.h"
 #include "log.h"
+#include "memory.h"
 #include "ssl.h"
 
 /*
@@ -48,6 +49,8 @@ static RSA *rsa;
 static SSL_CTX *context;
 static EVP_PKEY *pkey;
 
+static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH";
+
 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
 
 static int SSL_add_ext(X509 * crt, int nid, char *value) {
@@ -220,12 +223,21 @@ void SSLi_init(void)
 	ERR_load_crypto_strings();
 
 	context = SSL_CTX_new(SSLv23_server_method());
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
 	if (context == NULL)
 	{
 		ERR_print_errors_fp(stderr);
 		abort();
 	}
 
+	SSL_CTX_set_cipher_list(context, ciphers);
+
+	EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	SSL_CTX_set_tmp_ecdh(context, ecdhkey);
+	EC_KEY_free(ecdhkey);
+
 	char const * sslCAPath = getStrConf(CAPATH);
 	if(sslCAPath != NULL)
 	{
@@ -250,9 +262,7 @@ void SSLi_init(void)
 			Log_debug("%s", SSL_CIPHER_get_name(cipher));
 			cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1;
 		}
-		cipherstring = malloc(cipherstringlen + 1);
-		if (cipherstring == NULL)
-			Log_fatal("Out of memory");
+		cipherstring = Memory_safeMalloc(1, cipherstringlen + 1);
 		for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
 			offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher));
 		}
@@ -328,10 +338,7 @@ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
 	}
 
 	len = i2d_X509(x509, NULL);
-	buf = malloc(len);
-	if (buf == NULL) {
-		Log_fatal("malloc");
-	}
+	buf = Memory_safeMalloc(1, len);
 
 	p = buf;
 	i2d_X509(x509, &p);
@@ -404,7 +411,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
      * it for something special
      */
     if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
-	    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+	    X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
 	    Log_warn("issuer= %s", buf);
     }
     return 1;