From 41ffa33b09d9bcf0902c3ef9384011c95f72ccbe Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 12:29:30 +0200 Subject: change to use TLSv1_2 (or maybe later) --- vchat-ssl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 652ca09..7f0395b 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -61,7 +61,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) X509_STORE *store = NULL; vc_x509verify_cb_t verify_callback = NULL; - if( !(ctx = SSL_CTX_new(SSLv3_method())) ) + /* Explicitly use TLSv1_2 (or maybe later) */ + if( !(ctx = SSL_CTX_new(TLSv1_2_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -69,7 +70,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); + /* Disable A LOT of insecure protocols explicitly */ + SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 19375e6c61bfe3bf643786b0e7318c528e4b22a0 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:05:21 +0200 Subject: show cipher being used --- vchat-ssl.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 7f0395b..2b41432 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -136,8 +136,24 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) BIO_push( ssl_conn, *conn ); *conn = ssl_conn; fflush(stdout); - if( BIO_do_handshake( *conn ) > 0 ) + if( BIO_do_handshake( *conn ) > 0 ) { + /* Show information about cipher used */ + const SSL *sslp = NULL; + const SSL_CIPHER * cipher = NULL; + + /* Get cipher object */ + BIO_get_ssl(ssl_conn, &sslp); + cipher = SSL_get_current_cipher(sslp); + if (cipher) { + char cipher_desc[TMPSTRSIZE]; + snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); + writecf(FS_SERV, tmpstr); + } else { + snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); + writecf(FS_ERR, tmpstr); + } return 0; + } } snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); -- cgit v1.2.3