diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index 07addc8c..744e0b1e 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -8281,14 +8281,7 @@ UINT StSetServerCipher(ADMIN *a, RPC_STR *t) StrUpper(t->String); - if (CheckCipherListName(t->String) == false) - { - return ERR_CIPHER_NOT_SUPPORTED; - } - else - { - ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String); - } + ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String); Lock(c->lock); { diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index e3e6921e..5685d93e 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -6054,10 +6054,7 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) if (CfgGetStr(f, "CipherName", tmp, sizeof(tmp))) { StrUpper(tmp); - if (CheckCipherListName(tmp)) - { - SetCedarCipherList(c, tmp); - } + SetCedarCipherList(c, tmp); } // Traffic information diff --git a/src/Cedar/Server.h b/src/Cedar/Server.h index 41f2ccd0..58b31d4b 100644 --- a/src/Cedar/Server.h +++ b/src/Cedar/Server.h @@ -129,7 +129,9 @@ #define SERVER_DEF_PORTS_INCLIENT_DYN_MAX 1999 extern char *SERVER_CONFIG_FILE_NAME; -#define SERVER_DEFAULT_CIPHER_NAME "AES128-SHA" +// This is set to an invalid OpenSSL cipher specification by default. +// The server will default to a list of sane and secure modern ciphers. +#define SERVER_DEFAULT_CIPHER_NAME "~DEFAULT~" #define SERVER_DEFAULT_CERT_DAYS (365 * 10) #define SERVER_DEFAULT_HUB_NAME "DEFAULT" #define SERVER_DEFAULT_BRIDGE_NAME "BRIDGE" diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index b8a2ef26..b0fdda33 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11136,27 +11136,6 @@ void FreeWaitThread() WaitThreadList = NULL; } -// Check the cipher list name -bool CheckCipherListName(char *name) -{ - UINT i; - // Validate arguments - if (name == NULL) - { - return false; - } - - for (i = 0;i < cipher_list_token->NumTokens;i++) - { - if (StrCmpi(cipher_list_token->Token[i], name) == 0) - { - return true; - } - } - - return false; -} - // Renewing the IP address of the DHCP server void RenewDhcp() { @@ -12781,7 +12760,6 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure) // Set the cipher algorithm name to want to use void SetWantToUseCipher(SOCK *sock, char *name) { - char tmp[1024]; // Validate arguments if (sock == NULL || name == NULL) { @@ -12793,12 +12771,7 @@ void SetWantToUseCipher(SOCK *sock, char *name) Free(sock->WaitToUseCipher); } - Zero(tmp, sizeof(tmp)); - StrCpy(tmp, sizeof(tmp), name); - StrCat(tmp, sizeof(tmp), " "); - StrCat(tmp, sizeof(tmp), cipher_list); - - sock->WaitToUseCipher = CopyStr(tmp); + sock->WaitToUseCipher = CopyStr(name); } // Add all the chain certificates in the chain_certs directory @@ -13076,7 +13049,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch // Set the cipher algorithm name to want to use Lock(openssl_lock); { - SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher); + if (SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher) == 0) + SSL_set_cipher_list(sock->ssl, DEFAULT_CIPHER_LIST); } Unlock(openssl_lock); } diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 870ef40f..64b7ad68 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -153,6 +153,7 @@ struct DYN_VALUE #define DEFAULT_GETIP_THREAD_MAX_NUM 64 #endif // USE_STRATEGY_LOW_MEMORY +#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" // SSL logging function //#define ENABLE_SSL_LOGGING @@ -1382,7 +1383,6 @@ void RenewDhcp(); void AcceptInit(SOCK *s); void AcceptInitEx(SOCK *s, bool no_lookup_hostname); void DisableGetHostNameWhenAcceptInit(); -bool CheckCipherListName(char *name); TOKEN_LIST *GetCipherList(); COUNTER *GetNumTcpConnectionsCounter(); void InitWaitThread();