SSL: remove unsafe ciphers and protocols from the default options.
Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/68d21780 Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/68d21780 Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/68d21780 Branch: refs/heads/upstream Commit: 68d217805b2b683309169f4fec132ce293997cf1 Parents: 95c0c92 Author: Marc Worrell <[email protected]> Authored: Wed Oct 15 12:18:33 2014 +0200 Committer: Marc Worrell <[email protected]> Committed: Wed Oct 15 12:46:17 2014 +0200 ---------------------------------------------------------------------- src/mochiweb_socket.erl | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/68d21780/src/mochiweb_socket.erl ---------------------------------------------------------------------- diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl index fff0b42..8cd074f 100644 --- a/src/mochiweb_socket.erl +++ b/src/mochiweb_socket.erl @@ -16,7 +16,8 @@ listen(Ssl, Port, Opts, SslOpts) -> case Ssl of true -> Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts), - case ssl:listen(Port, Opts1) of + Opts2 = add_safe_protocol_versions(Opts1), + case ssl:listen(Port, Opts2) of {ok, ListenSocket} -> {ok, {ssl, ListenSocket}}; {error, _} = Err -> @@ -27,7 +28,8 @@ listen(Ssl, Port, Opts, SslOpts) -> end. add_unbroken_ciphers_default(Opts) -> - Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())), + Default = filter_unsecure_cipher_suites(ssl:cipher_suites()), + Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, Default)), [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)]. filter_broken_cipher_suites(Ciphers) -> @@ -40,6 +42,31 @@ filter_broken_cipher_suites(Ciphers) -> Ciphers end. +filter_unsecure_cipher_suites(Ciphers) -> + lists:filter(fun + ({_,des_cbc,_}) -> false; + ({_,_,md5}) -> false; + (_) -> true + end, + Ciphers). + +add_safe_protocol_versions(Opts) -> + case proplists:is_defined(versions, Opts) of + true -> + Opts; + false -> + Versions = filter_unsafe_protcol_versions(proplists:get_value(available, ssl:versions())), + [{versions, Versions} | Opts] + end. + +filter_unsafe_protcol_versions(Versions) -> + lists:filter(fun + (sslv3) -> false; + (_) -> true + end, + Versions). + + accept({ssl, ListenSocket}) -> % There's a bug in ssl:transport_accept/2 at the moment, which is the % reason for the try...catch block. Should be fixed in OTP R14.
