summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorerdgeist <de@gsmk.de>2014-04-15 14:24:43 +0200
committererdgeist <de@gsmk.de>2014-04-15 14:24:43 +0200
commit7e81cd818c751e0f75b2c637e37356485e1e71ef (patch)
tree73d63ee98b8d20ce0609c93c8ca13fad68aaea0d
parentb6fdcbeb3ea50e0051749dc552ffb7a736d3c8e1 (diff)
Enforce strong crypto
-rwxr-xr-xvchat-ssl.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c
index 652ca09..41b0278 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -61,7 +61,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
61 X509_STORE *store = NULL; 61 X509_STORE *store = NULL;
62 vc_x509verify_cb_t verify_callback = NULL; 62 vc_x509verify_cb_t verify_callback = NULL;
63 63
64 if( !(ctx = SSL_CTX_new(SSLv3_method())) ) 64 if( !(ctx = SSL_CTX_new(SSLv23_method())) )
65 VC_CTX_ERR_EXIT(store, ctx); 65 VC_CTX_ERR_EXIT(store, ctx);
66 66
67 if( !(store = vc_x509store_create(vc_store)) ) 67 if( !(store = vc_x509store_create(vc_store)) )
@@ -69,8 +69,11 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
69 69
70 SSL_CTX_set_cert_store(ctx, store); 70 SSL_CTX_set_cert_store(ctx, store);
71 store = NULL; 71 store = NULL;
72 SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); 72 SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
73 SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); 73 if( OPENSSL_VERSION_NUMBER < 0x10000000L )
74 SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
75 else
76 SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
74 77
75 SSL_CTX_set_verify_depth (ctx, 2); 78 SSL_CTX_set_verify_depth (ctx, 2);
76 79