Gitweb links:
...log
http://git.netsurf-browser.org/netsurf.git/shortlog/a8bf9b05aa94392b391d6015ed037e5c241ab172
...commit
http://git.netsurf-browser.org/netsurf.git/commit/a8bf9b05aa94392b391d6015ed037e5c241ab172
...tree
http://git.netsurf-browser.org/netsurf.git/tree/a8bf9b05aa94392b391d6015ed037e5c241ab172
The branch, master has been updated
via a8bf9b05aa94392b391d6015ed037e5c241ab172 (commit)
from 7d4349035d7981067d26dc02f750a36a9adc52cd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/netsurf.git/commit/?id=a8bf9b05aa94392b391d6015ed037e5c241ab172
commit a8bf9b05aa94392b391d6015ed037e5c241ab172
Author: John-Mark Bell <[email protected]>
Commit: John-Mark Bell <[email protected]>
HTTPS: restrict ciphersuites
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index d37ce11..bf9d88b 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -67,6 +67,21 @@
/** maximum number of X509 certificates in chain for TLS connection */
#define MAX_CERTS 10
+/* the ciphersuites we are willing to use */
+#define CIPHER_LIST \
+ /* disable everything */ \
+ "-ALL:" \
+ /* enable TLSv1.2 PFS suites */ \
+ "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \
+ /* enable PFS AES GCM suites */ \
+ "EECDH+AESGCM:EDH+AESGCM:" \
+ /* Enable PFS AES CBC suites */ \
+ "EECDH+AES:EDH+AES:" \
+ /* Enable non-PFS fallback suite */ \
+ "AES128-SHA:" \
+ /* Remove any PFS suites using weak DSA key exchange */ \
+ "-DSS"
+
/** SSL certificate info */
struct cert_info {
X509 *cert; /**< Pointer to certificate */
@@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void
*parm)
/* Ensure server rejects the connection if downgraded too far */
SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
#endif
+ /* Disable TLS1.2 ciphersuites */
+ SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2");
}
SSL_CTX_set_options(sslctx, options);
@@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void)
SETOPT(CURLOPT_LOW_SPEED_TIME, 180L);
SETOPT(CURLOPT_NOSIGNAL, 1L);
SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout));
+ SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST);
if (nsoption_charp(ca_bundle) &&
strcmp(nsoption_charp(ca_bundle), "")) {
-----------------------------------------------------------------------
Summary of changes:
content/fetchers/curl.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index d37ce11..bf9d88b 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -67,6 +67,21 @@
/** maximum number of X509 certificates in chain for TLS connection */
#define MAX_CERTS 10
+/* the ciphersuites we are willing to use */
+#define CIPHER_LIST \
+ /* disable everything */ \
+ "-ALL:" \
+ /* enable TLSv1.2 PFS suites */ \
+ "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \
+ /* enable PFS AES GCM suites */ \
+ "EECDH+AESGCM:EDH+AESGCM:" \
+ /* Enable PFS AES CBC suites */ \
+ "EECDH+AES:EDH+AES:" \
+ /* Enable non-PFS fallback suite */ \
+ "AES128-SHA:" \
+ /* Remove any PFS suites using weak DSA key exchange */ \
+ "-DSS"
+
/** SSL certificate info */
struct cert_info {
X509 *cert; /**< Pointer to certificate */
@@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void
*parm)
/* Ensure server rejects the connection if downgraded too far */
SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
#endif
+ /* Disable TLS1.2 ciphersuites */
+ SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2");
}
SSL_CTX_set_options(sslctx, options);
@@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void)
SETOPT(CURLOPT_LOW_SPEED_TIME, 180L);
SETOPT(CURLOPT_NOSIGNAL, 1L);
SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout));
+ SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST);
if (nsoption_charp(ca_bundle) &&
strcmp(nsoption_charp(ca_bundle), "")) {
--
NetSurf Browser
_______________________________________________
netsurf-commits mailing list
[email protected]
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org
