diff options
-rw-r--r-- | ustream-mbedtls.c | 49 |
1 files changed, 23 insertions, 26 deletions
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 9b22ad2..347c600 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -86,33 +86,28 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } -#define TLS_DEFAULT_CIPHERS \ - TLS_CIPHER(AES_128_GCM_SHA256) \ - TLS_CIPHER(AES_256_GCM_SHA384) \ - TLS_CIPHER(AES_128_CBC_SHA) \ - TLS_CIPHER(AES_256_CBC_SHA) \ - TLS_CIPHER(3DES_EDE_CBC_SHA) - -static const int default_ciphersuites_nodhe[] = +#define AES_CIPHERS(v) \ + MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \ + MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \ + MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \ + MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA + +static const int default_ciphersuites_server[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(RSA), 0 }; -static const int default_ciphersuites[] = +static const int default_ciphersuites_client[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_DHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(DHE_RSA), + MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + AES_CIPHERS(RSA), + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0 }; @@ -152,10 +147,12 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); - if (server) - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); - else - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); + if (server) { + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server); + mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, + MBEDTLS_SSL_MINOR_VERSION_3); + } else + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_conf_session_cache(conf, &ctx->cache, |