From c52398cf8ddc2277fd315b57e988b8716e622887 Mon Sep 17 00:00:00 2001 From: jsing Date: Wed, 13 Jul 2016 16:30:48 +0000 Subject: [PATCH] Split the existing TLS cipher suite groups into four: "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@ --- lib/libtls/tls_config.c | 10 +++++++--- lib/libtls/tls_init.3 | 17 +++++++++++------ lib/libtls/tls_internal.h | 6 ++++-- 3 files changed, 22 insertions(+), 11 deletions(-) diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 6b47eeb8d11..43f06b00633 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.21 2016/07/07 14:09:03 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.22 2016/07/13 16:30:48 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -289,9 +289,13 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) strcasecmp(ciphers, "default") == 0 || strcasecmp(ciphers, "secure") == 0) ciphers = TLS_CIPHERS_DEFAULT; - else if (strcasecmp(ciphers, "compat") == 0 || - strcasecmp(ciphers, "legacy") == 0) + else if (strcasecmp(ciphers, "compat") == 0) ciphers = TLS_CIPHERS_COMPAT; + else if (strcasecmp(ciphers, "legacy") == 0) + ciphers = TLS_CIPHERS_LEGACY; + else if (strcasecmp(ciphers, "all") == 0 || + strcasecmp(ciphers, "insecure") == 0) + ciphers = TLS_CIPHERS_ALL; if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { tls_config_set_errorx(config, "out of memory"); diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index cd1f00af237..b4c6a7cc3a5 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.61 2016/05/27 11:25:57 sthen Exp $ +.\" $OpenBSD: tls_init.3,v 1.62 2016/07/13 16:30:48 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 27 2016 $ +.Dd $Mdocdate: July 13 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -322,13 +322,18 @@ sets the list of ciphers that may be used. Lists of ciphers are specified by name, and the permitted names are: .Pp -.Bl -tag -width "default" -offset indent -compact -.It Dv "secure" -.It Dv "default" (an alias for secure) +.Bl -tag -width "insecure" -offset indent -compact +.It Dv "secure" (or alias "default") +.It Dv "compat" .It Dv "legacy" -.It Dv "compat" (an alias for legacy) +.It Dv "insecure" (or alias "all") .El .Pp +Alternatively, libssl cipher strings can be specified. +See the CIPHERS section of +.Xr openssl 1 +for further information. +.Pp .Em (Client and server) .It .Fn tls_config_set_key_file diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 886ee1151ff..6c56e6fb848 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.31 2016/07/07 14:09:03 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.32 2016/07/13 16:30:48 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -26,8 +26,10 @@ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" -#define TLS_CIPHERS_COMPAT "ALL:!aNULL:!eNULL" #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" +#define TLS_CIPHERS_COMPAT "HIGH:!aNULL" +#define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" +#define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" union tls_addr { struct in_addr ip4; -- 2.20.1