a couple of quick https improvements

author: corvid <devnull@localhost> 2014-09-03 22:17:07 +0000
committer: corvid <devnull@localhost> 2014-09-03 22:17:07 +0000
commit: 0824591133ebfa5a360df92e22bdde0454f43b1d (patch)
tree: e2df1b819672c4fbdfb83093f70cb332e9f550de /dpi
parent: 089154b8ab3d8b6f36ca04284ce8f37bc17d9250 (diff)
1 files changed, 8 insertions, 5 deletions
diff --git a/dpi/https.c b/dpi/https.c
index e6d2b0e9..f0b4ec89 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -156,9 +156,11 @@ static void yes_ssl_support(void)
       }
    }
 
-   /* Do not use the SSLv2 protocol. */
+   /* Do not use the obsolete insecure SSLv2 protocol, and everyone disabled
+    * TLS compression when the CRIME exploit became widely known in 2012.
+    */
    if (exit_error == 0){
-      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2);
+      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION);
    }
 
    /*Set directory to load certificates from*/
@@ -188,10 +190,11 @@ static void yes_ssl_support(void)
    }
 
    if (exit_error == 0){
-      /* Need to do the following if we want to deal with all
-       * possible ciphers
+      /* Don't want: eNULL, which has no encryption; aNULL, which has no
+       * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
+       * EXPORT40, which uses 40-bit encryption.
        */
-      SSL_set_cipher_list(ssl_connection, "ALL");
+      SSL_CTX_set_cipher_list(ssl_context, "ALL:!aNULL:!eNULL:!LOW:!EXPORT40");
 
       /* Need to do this if we want to have the option of dealing
        * with self-signed certs
author	corvid <devnull@localhost>	2014-09-03 22:17:07 +0000
committer	corvid <devnull@localhost>	2014-09-03 22:17:07 +0000
commit	0824591133ebfa5a360df92e22bdde0454f43b1d (patch)
tree	e2df1b819672c4fbdfb83093f70cb332e9f550de /dpi
parent	089154b8ab3d8b6f36ca04284ce8f37bc17d9250 (diff)