Disable old and unsecure ciphers in TLS driver

Disable: - export ciphers - broken by design, 40 and 56 bit encryption - low encryption ciphers - 56 and 64 bit encryption - SSLv2 ciphers - some ciphers using MD5 MAC
author: Janusz Dziemidowicz <rraptorr@nails.eu.org> 2012-07-18 22:00:58 +0200
committer: Janusz Dziemidowicz <rraptorr@nails.eu.org> 2012-07-18 22:00:58 +0200
commit: d2d51381ec3fea97d0bd968cd7ffed2364b644c6 (patch)
tree: 968e88714553b3a48d72edb4d223b0aa7bdc29de /src
parent: Disable SSL 2.0 in TLS driver (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index da11b50a4..4096a48fb 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -44,6 +44,8 @@ typedef unsigned __int32 uint32_t;
 #define SSL_OP_NO_TICKET 0
 #endif
 
+#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
+
 /*
  * R15B changed several driver callbacks to use ErlDrvSizeT and
  * ErlDrvSSizeT typedefs instead of int.
@@ -356,6 +358,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
 
 	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
 
+	    SSL_CTX_set_cipher_list(ctx, CIPHERS);
+
 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 	    SSL_CTX_set_default_verify_paths(ctx);
 #ifdef SSL_MODE_RELEASE_BUFFERS
author	Janusz Dziemidowicz <rraptorr@nails.eu.org>	2012-07-18 22:00:58 +0200
committer	Janusz Dziemidowicz <rraptorr@nails.eu.org>	2012-07-18 22:00:58 +0200
commit	d2d51381ec3fea97d0bd968cd7ffed2364b644c6 (patch)
tree	968e88714553b3a48d72edb4d223b0aa7bdc29de /src
parent	Disable SSL 2.0 in TLS driver (diff)