diff options
| -rw-r--r-- | DEVELOPING.md | 4 | ||||
| -rw-r--r-- | include/ssl_key_handler.hpp | 17 |
2 files changed, 20 insertions, 1 deletions
diff --git a/DEVELOPING.md b/DEVELOPING.md index 6a920bc8a3..f06ae816ad 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -92,6 +92,10 @@ authentication, session management, and security. 9. ### Performance + TLS uses cipher suites from the "OWASP Cipher String 'B'" to maintain as + much compatibility as we can with modern browsers, while still keeping a + strong security posture. + The performance priorities for the OpenBMC webserver are (in order): 1. Code is readable and clear 2. Code follows secure guidelines diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index 32d7a7368b..fc088ad01b 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -352,8 +352,23 @@ inline boost::asio::ssl::context getSslContext(const std::string &ssl_pem_file) std::string aesOnlyCiphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; + // OWASP Cipher String 'B' (Broad compatibility to browsers) + // https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet + std::string owaspBroadCompatibility = "DHE-RSA-AES256-GCM-SHA384:" + "DHE-RSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "DHE-RSA-AES256-SHA256:" + "DHE-RSA-AES128-SHA256:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-RSA-AES128-SHA256:" + "ECDHE-RSA-AES256-SHA:" + "ECDHE-RSA-AES128-SHA:" + "DHE-RSA-AES256-SHA:" + "DHE-RSA-AES128-SHA"; + if (SSL_CTX_set_cipher_list(mSslContext.native_handle(), - mozillaCompatibilityCiphers.c_str()) != 1) + owaspBroadCompatibility.c_str()) != 1) { BMCWEB_LOG_ERROR << "Error setting cipher list\n"; } |