blob: 5ffc259c0f8ef59ead596f5fbaf1019d85f7eca7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From aaaa117817687a05284f8bfff07e2404e0d616b7 Mon Sep 17 00:00:00 2001
From: Radivoje Jovanovic <radivoje.jovanovic@intel.com>
Date: Thu, 10 Dec 2020 13:42:20 -0800
Subject: [PATCH] recommended fixes by crypto review team
some curves/cyphers are forbiden to be used by
Intel crypto team.
Only enable approved ones.
the patch was created by aleksandr.v.tereschenko@intel.com
Signed-off-by: Radivoje Jovanovic <radivoje.jovanovic@intel.com>
---
include/ssl_key_handler.hpp | 39 ++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 39e83d7..8de7349 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -381,31 +381,34 @@ inline std::shared_ptr<boost::asio::ssl::context>
mSslContext->use_private_key_file(sslPemFile,
boost::asio::ssl::context::pem);
- // Set up EC curves to auto (boost asio doesn't have a method for this)
- // There is a pull request to add this. Once this is included in an asio
- // drop, use the right way
- // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
- if (SSL_CTX_set_ecdh_auto(mSslContext->native_handle(), 1) != 1)
+ std::string handshakeCurves = "P-384:P-521:X448";
+ if (SSL_CTX_set1_groups_list(mSslContext->native_handle(), handshakeCurves.c_str()) != 1)
{
- BMCWEB_LOG_ERROR << "Error setting tmp ecdh list\n";
+ BMCWEB_LOG_ERROR << "Error setting ECDHE group list\n";
}
- std::string mozillaModern = "ECDHE-ECDSA-AES256-GCM-SHA384:"
- "ECDHE-RSA-AES256-GCM-SHA384:"
- "ECDHE-ECDSA-CHACHA20-POLY1305:"
- "ECDHE-RSA-CHACHA20-POLY1305:"
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-GCM-SHA256:"
- "ECDHE-ECDSA-AES256-SHA384:"
- "ECDHE-RSA-AES256-SHA384:"
- "ECDHE-ECDSA-AES128-SHA256:"
- "ECDHE-RSA-AES128-SHA256";
+ std::string tls12Ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384:"
+ "ECDHE-RSA-AES256-GCM-SHA384";
+ std::string tls13Ciphers = "TLS_AES_256_GCM_SHA384";
if (SSL_CTX_set_cipher_list(mSslContext->native_handle(),
- mozillaModern.c_str()) != 1)
+ tls12Ciphers.c_str()) != 1)
{
- BMCWEB_LOG_ERROR << "Error setting cipher list\n";
+ BMCWEB_LOG_ERROR << "Error setting TLS 1.2 cipher list\n";
}
+
+ if (SSL_CTX_set_ciphersuites(mSslContext->native_handle(),
+ tls13Ciphers.c_str()) != 1)
+ {
+ BMCWEB_LOG_ERROR << "Error setting TLS 1.3 cipher list\n";
+ }
+
+ if ((SSL_CTX_set_options(mSslContext->native_handle(),
+ SSL_OP_CIPHER_SERVER_PREFERENCE) & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0)
+ {
+ BMCWEB_LOG_ERROR << "Error setting TLS server preference option\n";
+ }
+
return mSslContext;
}
} // namespace ensuressl
--
2.17.1
|