Commit 03f0d4b7 authored by Petr Špaček's avatar Petr Špaček

Merge branch 'tls-ciphers' into 'master'

restrict TLS ciphers

See merge request !601
parents 2de02515 e3d306ce
Pipeline #37000 passed with stages
in 6 minutes and 13 seconds
......@@ -307,6 +307,10 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls)
timeout += KR_CONN_RTT_MAX * 3;
if (!session->tls_ctx) {
session->tls_ctx = tls_new(master->loop->data);
if (!session->tls_ctx) {
worker_session_close(session);
return;
}
session->tls_ctx->c.session = session;
session->tls_ctx->c.handshake_state = TLS_HS_IN_PROGRESS;
}
......
......@@ -59,7 +59,9 @@ static int kres_gnutls_set_priority(gnutls_session_t session) {
static const char * const priorities =
"NORMAL:" /* GnuTLS defaults */
"-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
"-COMP-ALL:+COMP-NULL"; /* no compression*/
/* Some distros by default allow features that are considered
* too insecure nowadays, so let's disable them explicitly. */
"-VERS-SSL3.0:-ARCFOUR-128:-COMP-ALL:+COMP-NULL";
const char *errpos = NULL;
int err = gnutls_priority_set_direct(session, priorities, &errpos);
if (err != GNUTLS_E_SUCCESS) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment