mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2025-09-19 09:49:21 +03:00
Allow specifying cipher suites instead of single ciphers (#343)
* Allow specifying cipher suites instead of single ciphers. CipherName now specifies all cipher suites instead of the preferred cipher. This allows insecure ciphers like RC4 to be permanently disabled, instead of being the default fallback when the preferred cipher is unsupported. CipherName is now left for OpenSSL to verify. Should it be invalid, a secure default is used. The default CipherName setting for new servers is one such invalid string: "~DEFAULT~". This allows for future updates to change the default and the servers can stay secure. * Remove unused temporary variable.
This commit is contained in:
Guanzhong Chen
committed by
Moataz Elmasry
Moataz Elmasry
parent
8cafa07d9c
commit
56c4582da8
@ -11136,27 +11136,6 @@ void FreeWaitThread()
|
||||
WaitThreadList = NULL;
|
||||
}
|
||||
|
||||
// Check the cipher list name
|
||||
bool CheckCipherListName(char *name)
|
||||
{
|
||||
UINT i;
|
||||
// Validate arguments
|
||||
if (name == NULL)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
for (i = 0;i < cipher_list_token->NumTokens;i++)
|
||||
{
|
||||
if (StrCmpi(cipher_list_token->Token[i], name) == 0)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// Renewing the IP address of the DHCP server
|
||||
void RenewDhcp()
|
||||
{
|
||||
@ -12781,7 +12760,6 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure)
|
||||
// Set the cipher algorithm name to want to use
|
||||
void SetWantToUseCipher(SOCK *sock, char *name)
|
||||
{
|
||||
char tmp[1024];
|
||||
// Validate arguments
|
||||
if (sock == NULL || name == NULL)
|
||||
{
|
||||
@ -12793,12 +12771,7 @@ void SetWantToUseCipher(SOCK *sock, char *name)
|
||||
Free(sock->WaitToUseCipher);
|
||||
}
|
||||
|
||||
Zero(tmp, sizeof(tmp));
|
||||
StrCpy(tmp, sizeof(tmp), name);
|
||||
StrCat(tmp, sizeof(tmp), " ");
|
||||
StrCat(tmp, sizeof(tmp), cipher_list);
|
||||
|
||||
sock->WaitToUseCipher = CopyStr(tmp);
|
||||
sock->WaitToUseCipher = CopyStr(name);
|
||||
}
|
||||
|
||||
// Add all the chain certificates in the chain_certs directory
|
||||
@ -13076,7 +13049,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
|
||||
// Set the cipher algorithm name to want to use
|
||||
Lock(openssl_lock);
|
||||
{
|
||||
SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher);
|
||||
if (SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher) == 0)
|
||||
SSL_set_cipher_list(sock->ssl, DEFAULT_CIPHER_LIST);
|
||||
}
|
||||
Unlock(openssl_lock);
|
||||
}
|
||||
|
||||
@ -153,6 +153,7 @@ struct DYN_VALUE
|
||||
#define DEFAULT_GETIP_THREAD_MAX_NUM 64
|
||||
#endif // USE_STRATEGY_LOW_MEMORY
|
||||
|
||||
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
|
||||
|
||||
// SSL logging function
|
||||
//#define ENABLE_SSL_LOGGING
|
||||
@ -1382,7 +1383,6 @@ void RenewDhcp();
|
||||
void AcceptInit(SOCK *s);
|
||||
void AcceptInitEx(SOCK *s, bool no_lookup_hostname);
|
||||
void DisableGetHostNameWhenAcceptInit();
|
||||
bool CheckCipherListName(char *name);
|
||||
TOKEN_LIST *GetCipherList();
|
||||
COUNTER *GetNumTcpConnectionsCounter();
|
||||
void InitWaitThread();
|
||||
|
||||
Reference in New Issue
Block a user