[LEDE-DEV] [PATCH 1/2] ustream-ssl: Enable ECDHE with OpenSSL and prefer it to the other suites.

Rosen Penev Fri, 30 Mar 2018 15:14:53 -0700

When used with LuCI, SSLlabs complains that Forward Secrecy is not enabled and 
thus caps the score to a B.


Signed-off-by: Rosen Penev <ros...@gmail.com>
---
 ustream-openssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 83f6140..0f51b9d 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -49,6 +49,10 @@ __ustream_ssl_context_new(bool server)
                return NULL;
 
        SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
+#ifndef OPENSSL_NO_ECDH
+       SSL_CTX_set_ecdh_auto(c, 1);
+#endif
+       SSL_CTX_set_cipher_list(c, "ECDHE:ALL");
        SSL_CTX_set_quiet_shutdown(c, 1);
 
        return (void *) c;
-- 
2.16.3


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH 1/2] ustream-ssl: Enable ECDHE with OpenSSL and prefer it to the other suites.

Reply via email to