Re: httpd: allow for longer "tls ciphers"

2018-08-18 Thread Sebastian Benoit 
i'm ok with it

Jasper Lievisse Adriaanse(jas...@openbsd.org) on 2018.08.17 21:21:25 +0200:
> Hi,
> 
> The current limit on 'tls ciphers' is 255 characters which prevents using
> the cipher list as recommended by 
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
> for example (clocks in just shy of 300 characters).
> 
>   tls ciphers 
> "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> 
> results in a "ciphers too long" error.
> 
> I'm aware that 'secure' and 'compat' are available too, but perhaps
> we can increase the limit a bit?
> 
> Cheers,
> Jasper
> 
> Index: httpd.h
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.138
> diff -u -p -r1.138 httpd.h
> --- httpd.h   20 Jun 2018 16:43:05 -  1.138
> +++ httpd.h   17 Aug 2018 12:42:37 -
> @@ -60,7 +60,7 @@
>  #define HTTPD_LOGVIS VIS_NL|VIS_TAB|VIS_CSTYLE
>  #define HTTPD_TLS_CERT   "/etc/ssl/server.crt"
>  #define HTTPD_TLS_KEY"/etc/ssl/private/server.key"
> -#define HTTPD_TLS_CONFIG_MAX 255
> +#define HTTPD_TLS_CONFIG_MAX 512
>  #define HTTPD_TLS_CIPHERS"compat"
>  #define HTTPD_TLS_DHE_PARAMS "none"
>  #define HTTPD_TLS_ECDHE_CURVES   "default"
> 
> -- 
> jasper
>

httpd: allow for longer "tls ciphers"

2018-08-17 Thread Jasper Lievisse Adriaanse 
Hi,

The current limit on 'tls ciphers' is 255 characters which prevents using
the cipher list as recommended by 
https://mozilla.github.io/server-side-tls/ssl-config-generator/
for example (clocks in just shy of 300 characters).

tls ciphers 
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

results in a "ciphers too long" error.

I'm aware that 'secure' and 'compat' are available too, but perhaps
we can increase the limit a bit?

Cheers,
Jasper

Index: httpd.h
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.138
diff -u -p -r1.138 httpd.h
--- httpd.h 20 Jun 2018 16:43:05 -  1.138
+++ httpd.h 17 Aug 2018 12:42:37 -
@@ -60,7 +60,7 @@
 #define HTTPD_LOGVIS   VIS_NL|VIS_TAB|VIS_CSTYLE
 #define HTTPD_TLS_CERT "/etc/ssl/server.crt"
 #define HTTPD_TLS_KEY  "/etc/ssl/private/server.key"
-#define HTTPD_TLS_CONFIG_MAX   255
+#define HTTPD_TLS_CONFIG_MAX   512
 #define HTTPD_TLS_CIPHERS  "compat"
 #define HTTPD_TLS_DHE_PARAMS   "none"
 #define HTTPD_TLS_ECDHE_CURVES "default"

-- 
jasper