Allow specifying cipher suites instead of single ciphers (#343)

* Allow specifying cipher suites instead of single ciphers.

CipherName now specifies all cipher suites instead of the
preferred cipher. This allows insecure ciphers like RC4 to
be permanently disabled, instead of being the default fallback
when the preferred cipher is unsupported.

CipherName is now left for OpenSSL to verify. Should it be
invalid, a secure default is used. The default CipherName setting
for new servers is one such invalid string: "~DEFAULT~". This
allows for future updates to change the default and the servers
can stay secure.

* Remove unused temporary variable.

src/Cedar/Admin.c

@@ -8281,14 +8281,7 @@ UINT StSetServerCipher(ADMIN *a, RPC_STR *t)
 
 	StrUpper(t->String);
 
-	if (CheckCipherListName(t->String) == false)
-	{
-		return ERR_CIPHER_NOT_SUPPORTED;
-	}
-	else
-	{
-		ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String);
-	}
+	ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String);
 
 	Lock(c->lock);
 	{

src/Cedar/Server.c

@@ -6054,10 +6054,7 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		if (CfgGetStr(f, "CipherName", tmp, sizeof(tmp)))
 		{
 			StrUpper(tmp);
-			if (CheckCipherListName(tmp))
-			{
-				SetCedarCipherList(c, tmp);
-			}
+			SetCedarCipherList(c, tmp);
 		}
 
 		// Traffic information

src/Cedar/Server.h

@@ -129,7 +129,9 @@
 #define	SERVER_DEF_PORTS_INCLIENT_DYN_MAX	1999
 
 extern char *SERVER_CONFIG_FILE_NAME;
-#define	SERVER_DEFAULT_CIPHER_NAME		"AES128-SHA"
+// This is set to an invalid OpenSSL cipher specification by default.
+// The server will default to a list of sane and secure modern ciphers.
+#define	SERVER_DEFAULT_CIPHER_NAME		"~DEFAULT~"
 #define	SERVER_DEFAULT_CERT_DAYS		(365 * 10)
 #define	SERVER_DEFAULT_HUB_NAME			"DEFAULT"
 #define	SERVER_DEFAULT_BRIDGE_NAME		"BRIDGE"

src/Mayaqua/Network.c

@@ -11136,27 +11136,6 @@ void FreeWaitThread()
 	WaitThreadList = NULL;
 }
 
-// Check the cipher list name
-bool CheckCipherListName(char *name)
-{
-	UINT i;
-	// Validate arguments
-	if (name == NULL)
-	{
-		return false;
-	}
-
-	for (i = 0;i < cipher_list_token->NumTokens;i++)
-	{
-		if (StrCmpi(cipher_list_token->Token[i], name) == 0)
-		{
-			return true;
-		}
-	}
-
-	return false;
-}
-
 // Renewing the IP address of the DHCP server
 void RenewDhcp()
 {
@@ -12781,7 +12760,6 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure)
 // Set the cipher algorithm name to want to use
 void SetWantToUseCipher(SOCK *sock, char *name)
 {
-	char tmp[1024];
 	// Validate arguments
 	if (sock == NULL || name == NULL)
 	{
@@ -12793,12 +12771,7 @@ void SetWantToUseCipher(SOCK *sock, char *name)
 		Free(sock->WaitToUseCipher);
 	}
 
-	Zero(tmp, sizeof(tmp));
-	StrCpy(tmp, sizeof(tmp), name);
-	StrCat(tmp, sizeof(tmp), " ");
-	StrCat(tmp, sizeof(tmp), cipher_list);
-
-	sock->WaitToUseCipher = CopyStr(tmp);
+	sock->WaitToUseCipher = CopyStr(name);
 }
 
 // Add all the chain certificates in the chain_certs directory
@@ -13076,7 +13049,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 		// Set the cipher algorithm name to want to use
 		Lock(openssl_lock);
 		{
-			SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher);
+			if (SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher) == 0)
+				SSL_set_cipher_list(sock->ssl, DEFAULT_CIPHER_LIST);
 		}
 		Unlock(openssl_lock);
 	}

src/Mayaqua/Network.h

@@ -153,6 +153,7 @@ struct DYN_VALUE
 #define	DEFAULT_GETIP_THREAD_MAX_NUM		64
 #endif	// USE_STRATEGY_LOW_MEMORY
 
+#define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
 
 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
@@ -1382,7 +1383,6 @@ void RenewDhcp();
 void AcceptInit(SOCK *s);
 void AcceptInitEx(SOCK *s, bool no_lookup_hostname);
 void DisableGetHostNameWhenAcceptInit();
-bool CheckCipherListName(char *name);
 TOKEN_LIST *GetCipherList();
 COUNTER *GetNumTcpConnectionsCounter();
 void InitWaitThread();