From 2f81f80acc0e34cfad3d250b60f0ceba17bddbf0 Mon Sep 17 00:00:00 2001
From: Karol Niczyj <karol.niczyj@intel.com>
Date: Tue, 17 Aug 2021 20:09:42 +0200
Subject: Restricted TLS cipher suites to preferred ones

Updated TLS 1.2 cipher list and added TLS1.3 cipher list.

Tested by Oleksandr Shulzhenko on local setup.

Change-Id: I218c245d8ddf7e54dae258a39cd78c3255027b6e
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
---
 src/state/activating_state.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index 22225a2..b1113b7 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -267,10 +267,11 @@ std::unique_ptr<resource::Process>
                                        "capath=/etc/ssl/certs/authority",
                                        "ssl-version=tlsv1.2",
                                        "followlocation=false",
-                                       "ssl-cipher-list=ALL:!eNULL:!aNULL:"
-                                       "!AES256-GCM-SHA384:!AES128-GCM-SHA256:"
-                                       "!AES256-SHA256:!AES128-SHA256:"
-                                       "!ECDHE-RSA-CHACHA20-POLY1305"};
+                                       "ssl-cipher-list="
+                                       "ECDHE-RSA-AES256-GCM-SHA384:"
+                                       "ECDHE-ECDSA-AES256-GCM-SHA384",
+                                       "tls13-ciphers="
+                                       "TLS_AES_256_GCM_SHA384"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
-- 
cgit v1.2.3