summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorTingPing <tingping@tingping.se>2014-11-05 02:17:34 -0500
committerTingPing <tingping@tingping.se>2014-11-05 02:17:34 -0500
commitebaaf466bf42aec26f05e71f06c39a0b19e32e77 (patch)
treea14f8612694ee0d3f808d7e675089bcb51cbb6d7
parent4b6215051f1d3b484e32dc95e33d83202bd89959 (diff)
ssl: Use more secure options
This disables ssl 2/3
-rw-r--r--src/common/ssl.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/common/ssl.c b/src/common/ssl.c
index cfa9b6cf..e929a1aa 100644
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -37,6 +37,11 @@
 #include <glib/gprintf.h>
 #include "util.h"
 
+/* If openssl was built without ec */
+#ifndef SSL_OP_SINGLE_ECDH_USE
+#define SSL_OP_SINGLE_ECDH_USE 0
+#endif
+
 /* globals */
 static struct chiper_info chiper_info;		/* static buffer for _SSL_get_cipher_info() */
 static char err_buf[256];			/* generic error buffer */
@@ -82,6 +87,11 @@ _SSL_context_init (void (*info_cb_func), int server)
 
 	SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
 	SSL_CTX_set_timeout (ctx, 300);
+	SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
+							  |SSL_OP_NO_COMPRESSION
+							  |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
+							  |SSL_OP_NO_TICKET
+							  |SSL_OP_CIPHER_SERVER_PREFERENCE);
 
 	/* used in SSL_connect(), SSL_accept() */
 	SSL_CTX_set_info_callback (ctx, info_cb_func);