The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped automatically by the mailing list software.
--- Begin Message ---I've revised the security options, and made them more uniform across the ssl libraries. - use only TLS 1.2 in server mode - changed the ciphersuite ordering Signed-off-by: Eneas U de Queiroz <cote2004-git...@yahoo.com> --- ustream-mbedtls.c | 49 +++++++++++++++++++++++-------------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 9b22ad2..347c600 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -86,33 +86,28 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } -#define TLS_DEFAULT_CIPHERS \ - TLS_CIPHER(AES_128_GCM_SHA256) \ - TLS_CIPHER(AES_256_GCM_SHA384) \ - TLS_CIPHER(AES_128_CBC_SHA) \ - TLS_CIPHER(AES_256_CBC_SHA) \ - TLS_CIPHER(3DES_EDE_CBC_SHA) - -static const int default_ciphersuites_nodhe[] = +#define AES_CIPHERS(v) \ + MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \ + MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \ + MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \ + MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA + +static const int default_ciphersuites_server[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(RSA), 0 }; -static const int default_ciphersuites[] = +static const int default_ciphersuites_client[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_DHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(DHE_RSA), + MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + AES_CIPHERS(RSA), + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0 }; @@ -152,10 +147,12 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); - if (server) - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); - else - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); + if (server) { + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server); + mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, + MBEDTLS_SSL_MINOR_VERSION_3); + } else + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_conf_session_cache(conf, &ctx->cache, -- 2.16.4
--- End Message ---
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel