From fda261e07ede2775e577d5a0b06b022df8e53a9d Mon Sep 17 00:00:00 2001 From: jsing Date: Wed, 6 Aug 2014 16:09:02 +0000 Subject: [PATCH] Configure the default SSL ciphers as HIGH:!aNULL. ok deraadt@ reyk@ --- usr.sbin/httpd/httpd.h | 6 ++++-- usr.sbin/httpd/parse.y | 4 +++- usr.sbin/httpd/server.c | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index 41909705c03..c129860fb97 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.49 2014/08/06 15:08:04 florian Exp $ */ +/* $OpenBSD: httpd.h,v 1.50 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -38,8 +38,9 @@ #define HTTPD_LOGROOT "/logs" #define HTTPD_ACCESS_LOG "access.log" #define HTTPD_ERROR_LOG "error.log" -#define HTTPD_SSL_KEY "/etc/ssl/private/server.key" #define HTTPD_SSL_CERT "/etc/ssl/server.crt" +#define HTTPD_SSL_KEY "/etc/ssl/private/server.key" +#define HTTPD_SSL_CIPHERS "HIGH:!aNULL" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 @@ -373,6 +374,7 @@ struct server_config { char *ssl_cert; off_t ssl_cert_len; char *ssl_cert_file; + char ssl_ciphers[NAME_MAX]; char *ssl_key; off_t ssl_key_len; char *ssl_key_file; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index a2a4107d2cb..accf426c5d4 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.30 2014/08/06 12:56:58 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.31 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter @@ -235,6 +235,8 @@ server : SERVER STRING { s->srv_conf.logformat = LOG_FORMAT_COMMON; s->srv_conf.ssl_cert_file = HTTPD_SSL_CERT; s->srv_conf.ssl_key_file = HTTPD_SSL_KEY; + strlcpy(s->srv_conf.ssl_ciphers, HTTPD_SSL_CIPHERS, + sizeof(s->srv_conf.ssl_ciphers)); if (last_server_id == INT_MAX) { yyerror("too many servers defined"); diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 6671b69a8aa..502adbfe0d1 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.36 2014/08/06 15:08:04 florian Exp $ */ +/* $OpenBSD: server.c,v 1.37 2014/08/06 16:09:02 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -188,6 +188,8 @@ server_ssl_init(struct server *srv) return (-1); } + ressl_config_set_ciphers(srv->srv_ressl_config, + srv->srv_conf.ssl_ciphers); ressl_config_set_cert_mem(srv->srv_ressl_config, srv->srv_conf.ssl_cert, srv->srv_conf.ssl_cert_len); ressl_config_set_key_mem(srv->srv_ressl_config, -- 2.20.1