From 7e81cd818c751e0f75b2c637e37356485e1e71ef Mon Sep 17 00:00:00 2001
From: erdgeist <de@gsmk.de>
Date: Tue, 15 Apr 2014 14:24:43 +0200
Subject: Enforce strong crypto

---
 vchat-ssl.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/vchat-ssl.c b/vchat-ssl.c
index 652ca09..41b0278 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -61,7 +61,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
    X509_STORE           *store            = NULL;
    vc_x509verify_cb_t   verify_callback   = NULL;
 
-   if( !(ctx = SSL_CTX_new(SSLv3_method())) )
+   if( !(ctx = SSL_CTX_new(SSLv23_method())) )
       VC_CTX_ERR_EXIT(store, ctx);
 
    if( !(store = vc_x509store_create(vc_store)) )
@@ -69,8 +69,11 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
 
    SSL_CTX_set_cert_store(ctx, store);
    store = NULL;
-   SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
-   SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+   SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+   if( OPENSSL_VERSION_NUMBER < 0x10000000L )
+     SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
+   else
+     SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
 
    SSL_CTX_set_verify_depth (ctx, 2);
 
-- 
cgit v1.2.3