From aaaa117817687a05284f8bfff07e2404e0d616b7 Mon Sep 17 00:00:00 2001
From: Radivoje Jovanovic <radivoje.jovanovic@intel.com>
Date: Thu, 10 Dec 2020 13:42:20 -0800
Subject: [PATCH] recommended fixes by crypto review team

some curves/cyphers are forbiden to be used by
Intel crypto team.
Only enable approved ones.
the patch was created by aleksandr.v.tereschenko@intel.com

Signed-off-by: Radivoje Jovanovic <radivoje.jovanovic@intel.com>
---
 include/ssl_key_handler.hpp | 39 ++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 39e83d7..8de7349 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -381,31 +381,34 @@ inline std::shared_ptr<boost::asio::ssl::context>
     mSslContext->use_private_key_file(sslPemFile,
                                       boost::asio::ssl::context::pem);
 
-    // Set up EC curves to auto (boost asio doesn't have a method for this)
-    // There is a pull request to add this.  Once this is included in an asio
-    // drop, use the right way
-    // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
-    if (SSL_CTX_set_ecdh_auto(mSslContext->native_handle(), 1) != 1)
+    std::string handshakeCurves = "P-384:P-521:X448";
+    if (SSL_CTX_set1_groups_list(mSslContext->native_handle(), handshakeCurves.c_str()) != 1)
     {
-        BMCWEB_LOG_ERROR << "Error setting tmp ecdh list\n";
+        BMCWEB_LOG_ERROR << "Error setting ECDHE group list\n";
     }
 
-    std::string mozillaModern = "ECDHE-ECDSA-AES256-GCM-SHA384:"
-                                "ECDHE-RSA-AES256-GCM-SHA384:"
-                                "ECDHE-ECDSA-CHACHA20-POLY1305:"
-                                "ECDHE-RSA-CHACHA20-POLY1305:"
-                                "ECDHE-ECDSA-AES128-GCM-SHA256:"
-                                "ECDHE-RSA-AES128-GCM-SHA256:"
-                                "ECDHE-ECDSA-AES256-SHA384:"
-                                "ECDHE-RSA-AES256-SHA384:"
-                                "ECDHE-ECDSA-AES128-SHA256:"
-                                "ECDHE-RSA-AES128-SHA256";
+    std::string tls12Ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384:"
+                               "ECDHE-RSA-AES256-GCM-SHA384";
+    std::string tls13Ciphers = "TLS_AES_256_GCM_SHA384";
 
     if (SSL_CTX_set_cipher_list(mSslContext->native_handle(),
-                                mozillaModern.c_str()) != 1)
+                                tls12Ciphers.c_str()) != 1)
     {
-        BMCWEB_LOG_ERROR << "Error setting cipher list\n";
+        BMCWEB_LOG_ERROR << "Error setting TLS 1.2 cipher list\n";
     }
+
+    if (SSL_CTX_set_ciphersuites(mSslContext->native_handle(),
+                                 tls13Ciphers.c_str()) != 1)
+    {
+        BMCWEB_LOG_ERROR << "Error setting TLS 1.3 cipher list\n";
+    }
+
+    if ((SSL_CTX_set_options(mSslContext->native_handle(),
+                            SSL_OP_CIPHER_SERVER_PREFERENCE) & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0)
+    {
+        BMCWEB_LOG_ERROR << "Error setting TLS server preference option\n";
+    }
+
     return mSslContext;
 }
 } // namespace ensuressl
-- 
2.17.1