Allow specifying cipher suites instead of single ciphers (#343)

* Allow specifying cipher suites instead of single ciphers. CipherName now specifies all cipher suites instead of the preferred cipher. This allows insecure ciphers like RC4 to be permanently disabled, instead of being the default fallback when the preferred cipher is unsupported. CipherName is now left for OpenSSL to verify. Should it be invalid, a secure default is used. The default CipherName setting for new servers is one such invalid string: "~DEFAULT~". This allows for future updates to change the default and the servers can stay secure. * Remove unused temporary variable.
2025-07-06 07:44:57 +03:00 · 2018-02-07 15:13:41 -08:00
parent 8cafa07d9c
commit 56c4582da8
5 changed files with 9 additions and 43 deletions
--- a/src/Cedar/Server.h
+++ b/src/Cedar/Server.h
@ -129,7 +129,9 @@
 #define	SERVER_DEF_PORTS_INCLIENT_DYN_MAX	1999

 extern char *SERVER_CONFIG_FILE_NAME;
-#define	SERVER_DEFAULT_CIPHER_NAME		"AES128-SHA"
+// This is set to an invalid OpenSSL cipher specification by default.
+// The server will default to a list of sane and secure modern ciphers.
+#define	SERVER_DEFAULT_CIPHER_NAME		"~DEFAULT~"
 #define	SERVER_DEFAULT_CERT_DAYS		(365 * 10)
 #define	SERVER_DEFAULT_HUB_NAME			"DEFAULT"
 #define	SERVER_DEFAULT_BRIDGE_NAME		"BRIDGE"