diff options
Diffstat (limited to 'ustream-openssl.c')
-rw-r--r-- | ustream-openssl.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/ustream-openssl.c b/ustream-openssl.c index 3810d6a..b2df362 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -22,14 +22,16 @@ #include "ustream-ssl.h" #include "ustream-internal.h" - /* Ciphersuite preference: - * - key exchange: prefer ECDHE, then DHE(client only), then RSA - * - prefer AEAD ciphers: + * - for server, no weak ciphers are used if you use an ECDSA key. + * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top: * chacha20-poly1305, the fastest in software, 256-bits * aes128-gcm, 128-bits * aes256-gcm, 256-bits - * - CBC ciphers + * - key exchange: prefer ECDHE, then DHE (client only) + * - forward-secret ECDSA CBC ciphers (client-only) + * - forward-secret RSA CBC ciphers + * - non-pfs ciphers * aes128, aes256, 3DES(client only) */ @@ -38,32 +40,38 @@ "TLS13-CHACHA20-POLY1305-SHA256:" \ "TLS13-AES128-GCM-SHA256:" \ "TLS13-AES256-GCM-SHA384:" \ - ecdhe_ciphers + ecdhe_aead_ciphers #else # define tls13_ciphersuites "TLS_CHACHA20_POLY1305_SHA256:" \ "TLS_AES_128_GCM_SHA256:" \ "TLS_AES_256_GCM_SHA384" # define top_ciphers \ - ecdhe_ciphers + ecdhe_aead_ciphers #endif -#define ecdhe_ciphers \ +#define ecdhe_aead_ciphers \ "ECDHE-ECDSA-CHACHA20-POLY1305:" \ "ECDHE-ECDSA-AES128-GCM-SHA256:" \ "ECDHE-ECDSA-AES256-GCM-SHA384:" \ - "ECDHE-ECDSA-AES128-SHA:" \ - "ECDHE-ECDSA-AES256-SHA:" \ "ECDHE-RSA-CHACHA20-POLY1305:" \ "ECDHE-RSA-AES128-GCM-SHA256:" \ - "ECDHE-RSA-AES256-GCM-SHA384:" \ - "ECDHE-RSA-AES128-SHA:" \ - "ECDHE-RSA-AES256-SHA" + "ECDHE-RSA-AES256-GCM-SHA384" -#define dhe_ciphers \ +#define dhe_aead_ciphers \ "DHE-RSA-CHACHA20-POLY1305:" \ "DHE-RSA-AES128-GCM-SHA256:" \ - "DHE-RSA-AES256-GCM-SHA384:" \ + "DHE-RSA-AES256-GCM-SHA384" + +#define ecdhe_ecdsa_cbc_ciphers \ + "ECDHE-ECDSA-AES128-SHA:" \ + "ECDHE-ECDSA-AES256-SHA" + +#define ecdhe_rsa_cbc_ciphers \ + "ECDHE-RSA-AES128-SHA:" \ + "ECDHE-RSA-AES256-SHA" + +#define dhe_cbc_ciphers \ "DHE-RSA-AES128-SHA:" \ "DHE-RSA-AES256-SHA:" \ "DHE-DES-CBC3-SHA" @@ -76,11 +84,15 @@ #define server_cipher_list \ top_ciphers ":" \ + ecdhe_rsa_cbc_ciphers ":" \ non_pfs_aes #define client_cipher_list \ top_ciphers ":" \ - dhe_ciphers ":" \ + dhe_aead_ciphers ":" \ + ecdhe_ecdsa_cbc_ciphers ":" \ + ecdhe_rsa_cbc_ciphers ":" \ + dhe_cbc_ciphers ":" \ non_pfs_aes ":" \ "DES-CBC3-SHA" |