From f69356b013d118f6f1e493a57bdc35bef6330cd1 Mon Sep 17 00:00:00 2001
From: corvid <devnull@localhost>
Date: Wed, 3 Sep 2014 22:17:07 +0000
Subject: a couple of quick https improvements

---
 dpi/https.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/dpi/https.c b/dpi/https.c
index e6d2b0e9..f0b4ec89 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -156,9 +156,11 @@ static void yes_ssl_support(void)
       }
    }
 
-   /* Do not use the SSLv2 protocol. */
+   /* Do not use the obsolete insecure SSLv2 protocol, and everyone disabled
+    * TLS compression when the CRIME exploit became widely known in 2012.
+    */
    if (exit_error == 0){
-      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2);
+      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION);
    }
 
    /*Set directory to load certificates from*/
@@ -188,10 +190,11 @@ static void yes_ssl_support(void)
    }
 
    if (exit_error == 0){
-      /* Need to do the following if we want to deal with all
-       * possible ciphers
+      /* Don't want: eNULL, which has no encryption; aNULL, which has no
+       * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
+       * EXPORT40, which uses 40-bit encryption.
        */
-      SSL_set_cipher_list(ssl_connection, "ALL");
+      SSL_CTX_set_cipher_list(ssl_context, "ALL:!aNULL:!eNULL:!LOW:!EXPORT40");
 
       /* Need to do this if we want to have the option of dealing
        * with self-signed certs
-- 
cgit v1.2.3