nickva commented on a change in pull request #5:
URL: https://github.com/apache/couchdb-mochiweb/pull/5#discussion_r643246804
##########
File path: src/mochiweb_socket.erl
##########
@@ -29,11 +29,37 @@ listen(Ssl, Port, Opts, SslOpts) ->
gen_tcp:listen(Port, Opts)
end.
+-ifdef(new_crypto_unavailable).
add_unbroken_ciphers_default(Opts) ->
Default = filter_unsecure_cipher_suites(ssl:cipher_suites()),
Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts,
Default)),
[{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
+%% Filter old map style cipher suites
+filter_unsecure_cipher_suites(Ciphers) ->
+ lists:filter(fun
+ ({_,des_cbc,_}) -> false;
+ ({_,_,md5}) -> false;
+ (_) -> true
+ end,
+ Ciphers).
+
+-else.
+add_unbroken_ciphers_default(Opts) ->
+ %% add_safe_protocol_versions/1 must have been called to ensure a
{versions, _} tuple is present
+ Versions = proplists:get_value(versions, Opts),
+ CipherSuites = lists:append([ssl:cipher_suites(all, Version) || Version <-
Versions]),
+ Default = filter_unsecure_cipher_suites(CipherSuites),
+ Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts,
Default)),
+ [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
+
+%% Filter new map style cipher suites
+filter_unsecure_cipher_suites(Ciphers) ->
+ ssl:filter_cipher_suites(Ciphers, [{key_exchange, fun(des_cbc) -> false;
(_) -> true end},
+ {mac, fun(md5) -> false; (_) -> true
end}]).
+
Review comment:
Minor nit, let's improve indentation a bit. Something like perhaps?:
```erlang
ssl:filter_cipher_suites(Ciphers, [
{key_exchange, fun(des_cbc) -> false; (_) -> true end},
{mac, fun(md5) -> false; (_) -> true end}
]).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
