The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
--- Begin Message ---
I've revised the security options, and made them more uniform across the
ssl libraries.
- use only TLS 1.2 in server mode
- changed the ciphersuite ordering
Signed-off-by: Eneas U de Queiroz <cote2004-git...@yahoo.com>
---
ustream-mbedtls.c | 49 +++++++++++++++++++++++--------------------------
1 file changed, 23 insertions(+), 26 deletions(-)
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 9b22ad2..347c600 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,33 +86,28 @@ static int _urandom(void *ctx, unsigned char *out, size_t
len)
return 0;
}
-#define TLS_DEFAULT_CIPHERS \
- TLS_CIPHER(AES_128_GCM_SHA256) \
- TLS_CIPHER(AES_256_GCM_SHA384) \
- TLS_CIPHER(AES_128_CBC_SHA) \
- TLS_CIPHER(AES_256_CBC_SHA) \
- TLS_CIPHER(3DES_EDE_CBC_SHA)
-
-static const int default_ciphersuites_nodhe[] =
+#define AES_CIPHERS(v) \
+ MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \
+ MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+
+static const int default_ciphersuites_server[] =
{
-#define TLS_CIPHER(v) \
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
- MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
- MBEDTLS_TLS_RSA_WITH_##v,
- TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+ AES_CIPHERS(ECDHE_ECDSA),
+ AES_CIPHERS(ECDHE_RSA),
+ AES_CIPHERS(RSA),
0
};
-static const int default_ciphersuites[] =
+static const int default_ciphersuites_client[] =
{
-#define TLS_CIPHER(v) \
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
- MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
- MBEDTLS_TLS_DHE_RSA_WITH_##v, \
- MBEDTLS_TLS_RSA_WITH_##v,
- TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+ AES_CIPHERS(ECDHE_ECDSA),
+ AES_CIPHERS(ECDHE_RSA),
+ AES_CIPHERS(DHE_RSA),
+ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ AES_CIPHERS(RSA),
+ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
0
};
@@ -152,10 +147,12 @@ __ustream_ssl_context_new(bool server)
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
- if (server)
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
- else
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+ if (server) {
+ mbedtls_ssl_conf_ciphersuites(conf,
default_ciphersuites_server);
+ mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3);
+ } else
+ mbedtls_ssl_conf_ciphersuites(conf,
default_ciphersuites_client);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
--
2.16.4
--- End Message ---
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/listinfo/openwrt-devel
