LibsslTLSContext: Disable SSLv3 and enable ECDHE cipher suites

2014-11-29 19:32:32 +09:00 · 2014-11-29 19:32:32 +09:00 · 71d8424318
parent bb6fae2f00
commit 71d8424318
1 changed files with 14 additions and 4 deletions
--- a/src/LibsslTLSContext.cc
+++ b/src/LibsslTLSContext.cc
@ -100,23 +100,33 @@ OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side)
                     ERR_error_string(ERR_get_error(), nullptr)));
    return;
  }
-  // Disable SSLv2 and enable all workarounds for buggy servers
-  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2
+  // Disable SSLv2/3 and enable all workarounds for buggy servers
+  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
+                      | SSL_OP_SINGLE_ECDH_USE
 #ifdef SSL_OP_NO_COMPRESSION
                      | SSL_OP_NO_COMPRESSION
 #endif // SSL_OP_NO_COMPRESSION
                      );
  SSL_CTX_set_mode(sslCtx_, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(sslCtx_, SSL_MODE_ENABLE_PARTIAL_WRITE);
-  #ifdef SSL_MODE_RELEASE_BUFFERS
+#ifdef SSL_MODE_RELEASE_BUFFERS
  /* keep memory usage low */
  SSL_CTX_set_mode(sslCtx_, SSL_MODE_RELEASE_BUFFERS);
-  #endif
+#endif
  if(SSL_CTX_set_cipher_list(sslCtx_, "HIGH:!aNULL:!eNULL") == 0) {
    good_ = false;
    A2_LOG_ERROR(fmt("SSL_CTX_set_cipher_list() failed. Cause: %s",
                     ERR_error_string(ERR_get_error(), nullptr)));
  }
+
+  auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  if(ecdh == nullptr) {
+    A2_LOG_WARN(fmt("Failed to enable ECDHE cipher suites. Cause: %s",
+                    ERR_error_string(ERR_get_error(), nullptr)));
+  } else {
+    SSL_CTX_set_tmp_ecdh(sslCtx_, ecdh);
+    EC_KEY_free(ecdh);
+  }
 }

 OpenSSLTLSContext::~OpenSSLTLSContext()