diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index f0908f47..5be71b17 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -8280,14 +8280,7 @@ UINT StSetServerCipher(ADMIN *a, RPC_STR *t) StrUpper(t->String); - if (CheckCipherListName(t->String) == false) - { - return ERR_CIPHER_NOT_SUPPORTED; - } - else - { - ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String); - } + ALog(a, NULL, "LA_SET_SERVER_CIPHER", t->String); Lock(c->lock); { diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 191fc147..e8ead553 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -6047,10 +6047,7 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) if (CfgGetStr(f, "CipherName", tmp, sizeof(tmp))) { StrUpper(tmp); - if (CheckCipherListName(tmp)) - { - SetCedarCipherList(c, tmp); - } + SetCedarCipherList(c, tmp); } // Traffic information diff --git a/src/Cedar/Server.h b/src/Cedar/Server.h index 547df580..9bf23e4b 100644 --- a/src/Cedar/Server.h +++ b/src/Cedar/Server.h @@ -129,7 +129,9 @@ #define SERVER_DEF_PORTS_INCLIENT_DYN_MAX 1999 extern char *SERVER_CONFIG_FILE_NAME; -#define SERVER_DEFAULT_CIPHER_NAME "RC4-MD5" +// This is set to an invalid OpenSSL cipher specification by default. +// The server will default to a list of sane and secure modern ciphers. +#define SERVER_DEFAULT_CIPHER_NAME "~DEFAULT~" #define SERVER_DEFAULT_CERT_DAYS (365 * 10) #define SERVER_DEFAULT_HUB_NAME "DEFAULT" #define SERVER_DEFAULT_BRIDGE_NAME "BRIDGE" diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 41d69cce..bc1c4050 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11134,27 +11134,6 @@ void FreeWaitThread() WaitThreadList = NULL; } -// Check the cipher list name -bool CheckCipherListName(char *name) -{ - UINT i; - // Validate arguments - if (name == NULL) - { - return false; - } - - for (i = 0;i < cipher_list_token->NumTokens;i++) - { - if (StrCmpi(cipher_list_token->Token[i], name) == 0) - { - return true; - } - } - - return false; -} - // Renewing the IP address of the DHCP server void RenewDhcp() { @@ -12783,12 +12762,7 @@ void SetWantToUseCipher(SOCK *sock, char *name) Free(sock->WaitToUseCipher); } - Zero(tmp, sizeof(tmp)); - StrCpy(tmp, sizeof(tmp), name); - StrCat(tmp, sizeof(tmp), " "); - StrCat(tmp, sizeof(tmp), cipher_list); - - sock->WaitToUseCipher = CopyStr(tmp); + sock->WaitToUseCipher = CopyStr(name); } // Add all the chain certificates in the chain_certs directory @@ -13062,7 +13036,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch // Set the cipher algorithm name to want to use Lock(openssl_lock); { - SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher); + if (SSL_set_cipher_list(sock->ssl, sock->WaitToUseCipher) == 0) + SSL_set_cipher_list(sock->ssl, DEFAULT_CIPHER_LIST); } Unlock(openssl_lock); } diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index b2f42381..a8090ebd 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -153,6 +153,7 @@ struct DYN_VALUE #define DEFAULT_GETIP_THREAD_MAX_NUM 64 #endif // USE_STRATEGY_LOW_MEMORY +#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" // SSL logging function //#define ENABLE_SSL_LOGGING @@ -1379,7 +1380,6 @@ void RenewDhcp(); void AcceptInit(SOCK *s); void AcceptInitEx(SOCK *s, bool no_lookup_hostname); void DisableGetHostNameWhenAcceptInit(); -bool CheckCipherListName(char *name); TOKEN_LIST *GetCipherList(); COUNTER *GetNumTcpConnectionsCounter(); void InitWaitThread();