Configure the default SSL ciphers as HIGH:!aNULL.

ok deraadt@ reyk@

diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index 4190970..c129860 100644 (file)
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: httpd.h,v 1.49 2014/08/06 15:08:04 florian Exp $      */
+/*     $OpenBSD: httpd.h,v 1.50 2014/08/06 16:09:02 jsing Exp $        */
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -38,8 +38,9 @@
 #define HTTPD_LOGROOT          "/logs"
 #define HTTPD_ACCESS_LOG       "access.log"
 #define HTTPD_ERROR_LOG                "error.log"
-#define HTTPD_SSL_KEY          "/etc/ssl/private/server.key"
 #define HTTPD_SSL_CERT         "/etc/ssl/server.crt"
+#define HTTPD_SSL_KEY          "/etc/ssl/private/server.key"
+#define HTTPD_SSL_CIPHERS      "HIGH:!aNULL"
 #define FD_RESERVE             5
 
 #define SERVER_MAX_CLIENTS     1024
@@ -373,6 +374,7 @@ struct server_config {
        char                    *ssl_cert;
        off_t                    ssl_cert_len;
        char                    *ssl_cert_file;
+       char                     ssl_ciphers[NAME_MAX];
        char                    *ssl_key;
        off_t                    ssl_key_len;
        char                    *ssl_key_file;

diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y
index a2a4107..accf426 100644 (file)
--- a/usr.sbin/httpd/parse.y
+++ b/usr.sbin/httpd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.30 2014/08/06 12:56:58 reyk Exp $ */
+/*     $OpenBSD: parse.y,v 1.31 2014/08/06 16:09:02 jsing Exp $        */
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -235,6 +235,8 @@ server              : SERVER STRING         {
                        s->srv_conf.logformat = LOG_FORMAT_COMMON;
                        s->srv_conf.ssl_cert_file = HTTPD_SSL_CERT;
                        s->srv_conf.ssl_key_file = HTTPD_SSL_KEY;
+                       strlcpy(s->srv_conf.ssl_ciphers, HTTPD_SSL_CIPHERS,
+                           sizeof(s->srv_conf.ssl_ciphers));
 
                        if (last_server_id == INT_MAX) {
                                yyerror("too many servers defined");

diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 6671b69..502adbf 100644 (file)
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: server.c,v 1.36 2014/08/06 15:08:04 florian Exp $     */
+/*     $OpenBSD: server.c,v 1.37 2014/08/06 16:09:02 jsing Exp $       */
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -188,6 +188,8 @@ server_ssl_init(struct server *srv)
                return (-1);
        }
 
+       ressl_config_set_ciphers(srv->srv_ressl_config,
+           srv->srv_conf.ssl_ciphers);
        ressl_config_set_cert_mem(srv->srv_ressl_config,
            srv->srv_conf.ssl_cert, srv->srv_conf.ssl_cert_len);
        ressl_config_set_key_mem(srv->srv_ressl_config,