AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2025-07-08 08:44:57 +03:00
Code Releases Activity

Allow specifying cipher suites instead of single ciphers (#343)

Browse Source 
* Allow specifying cipher suites instead of single ciphers.

CipherName now specifies all cipher suites instead of the
preferred cipher. This allows insecure ciphers like RC4 to
be permanently disabled, instead of being the default fallback
when the preferred cipher is unsupported.

CipherName is now left for OpenSSL to verify. Should it be
invalid, a secure default is used. The default CipherName setting
for new servers is one such invalid string: "~DEFAULT~". This
allows for future updates to change the default and the servers
can stay secure.

* Remove unused temporary variable.
This commit is contained in:
Guanzhong Chen
2018-02-07 15:13:41 -08:00
committed by Moataz Elmasry
parent 8cafa07d9c
commit 56c4582da8
5 changed files with 9 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/Mayaqua/Network.c
View File

@ -11136,27 +11136,6 @@ void FreeWaitThread()
WaitThreadList = NULL;
}
// Check the cipher list name
bool CheckCipherListName(char *name)
{
UINT i;
// Validate arguments
if (name == NULL)
{
return false;
}
for (i = 0;i < cipher_list_token->NumTokens;i++)
{
if (StrCmpi(cipher_list_token->Token[i], name) == 0)
{
return true;
}
}
return false;
}
// Renewing the IP address of the DHCP server
void RenewDhcp()
{
@ -12781,7 +12760,6 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure)
// Set the cipher algorithm name to want to use
void SetWantToUseCipher(SOCK *sock, char *name)
{
char tmp[1024];
// Validate arguments
if (sock == NULL || name == NULL)
{
@ -12793,12 +12771,7 @@ void SetWantToUseCipher(SOCK *sock, char *name)
Free(sock->WaitToUseCipher);
}
Zero(tmp, sizeof(tmp));
StrCpy(tmp, sizeof(tmp), name);
StrCat(tmp, sizeof(tmp), " ");
StrCat(tmp, sizeof(tmp), cipher_list);
sock->WaitToUseCipher = CopyStr(tmp);
sock->WaitToUseCipher = CopyStr(name);
}
// Add all the chain certificates in the chain_certs directory
@ -13076,7 +13049,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
// Set the cipher algorithm name to want to use
Lock(openssl_lock);
{
SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher);
if (SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher) == 0)
SSL_set_cipher_list(sock->ssl, DEFAULT_CIPHER_LIST);
}
Unlock(openssl_lock);
}