OpenSSL: Add a mechanism to configure cipher suites
This extends the TLS wrapper code to allow OpenSSL cipherlist string to be configured. In addition, the default value is now set to DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption algoriths (40-64 bit keys) do not get enabled in default configuration regardless of how OpenSSL build was configured. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
e3a451118e
commit
b7328434f7
2 changed files with 32 additions and 0 deletions
|
|
@ -74,6 +74,7 @@ struct tls_config {
|
|||
const char *pkcs11_module_path;
|
||||
int fips_mode;
|
||||
int cert_in_cb;
|
||||
const char *openssl_ciphers;
|
||||
|
||||
void (*event_cb)(void *ctx, enum tls_event ev,
|
||||
union tls_event_data *data);
|
||||
|
|
@ -123,6 +124,7 @@ struct tls_config {
|
|||
* specific for now)
|
||||
* @cert_id: the certificate's id when using engine
|
||||
* @ca_cert_id: the CA certificate's id when using engine
|
||||
* @openssl_ciphers: OpenSSL cipher configuration
|
||||
* @flags: Parameter options (TLS_CONN_*)
|
||||
* @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
|
||||
* or %NULL if OCSP is not enabled
|
||||
|
|
@ -161,6 +163,7 @@ struct tls_connection_params {
|
|||
const char *key_id;
|
||||
const char *cert_id;
|
||||
const char *ca_cert_id;
|
||||
const char *openssl_ciphers;
|
||||
|
||||
unsigned int flags;
|
||||
const char *ocsp_stapling_response;
|
||||
|
|
|
|||
|
|
@ -747,6 +747,7 @@ void * tls_init(const struct tls_config *conf)
|
|||
{
|
||||
SSL_CTX *ssl;
|
||||
struct tls_context *context;
|
||||
const char *ciphers;
|
||||
|
||||
if (tls_openssl_ref_count == 0) {
|
||||
tls_global = context = tls_context_new(conf);
|
||||
|
|
@ -845,6 +846,18 @@ void * tls_init(const struct tls_config *conf)
|
|||
}
|
||||
#endif /* OPENSSL_NO_ENGINE */
|
||||
|
||||
if (conf && conf->openssl_ciphers)
|
||||
ciphers = conf->openssl_ciphers;
|
||||
else
|
||||
ciphers = "DEFAULT:!EXP:!LOW";
|
||||
if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"OpenSSL: Failed to set cipher string '%s'",
|
||||
ciphers);
|
||||
tls_deinit(ssl);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ssl;
|
||||
}
|
||||
|
||||
|
|
@ -3262,6 +3275,14 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
return -1;
|
||||
}
|
||||
|
||||
if (params->openssl_ciphers &&
|
||||
SSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"OpenSSL: Failed to set cipher string '%s'",
|
||||
params->openssl_ciphers);
|
||||
return -1;
|
||||
}
|
||||
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
|
||||
SSL_set_options(conn->ssl, SSL_OP_NO_TICKET);
|
||||
|
|
@ -3328,6 +3349,14 @@ int tls_global_set_params(void *tls_ctx,
|
|||
return -1;
|
||||
}
|
||||
|
||||
if (params->openssl_ciphers &&
|
||||
SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"OpenSSL: Failed to set cipher string '%s'",
|
||||
params->openssl_ciphers);
|
||||
return -1;
|
||||
}
|
||||
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
|
||||
|
|
|
|||
Loading…
Reference in a new issue