Revision: 6861
http://svn.cherokee-project.com/changeset/6861
Author: alo
Date: 2011-09-18 14:59:37 +0200 (Sun, 18 Sep 2011)
Log Message:
-----------
New default for libssl ciphers: HIGH:!ADH:!MD5
Modified Paths:
--------------
cherokee/trunk/admin/PageVServer.py
cherokee/trunk/cherokee/cryptor.h
cherokee/trunk/cherokee/virtual_server.c
Modified: cherokee/trunk/admin/PageVServer.py
===================================================================
--- cherokee/trunk/admin/PageVServer.py 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/admin/PageVServer.py 2011-09-18 12:59:37 UTC (rev 6861)
@@ -45,7 +45,7 @@
NOTE_CERT = N_('This directive points to the PEM-encoded Certificate file for the server (Full path to the file)')
NOTE_CERT_KEY = N_('PEM-encoded Private Key file for the server (Full path to the file)')
NOTE_CA_LIST = N_('File containing the trusted CA certificates, utilized for checking the client certificates (Full path to the file)')
-NOTE_CIPHERS = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: all ciphers supported by the OpenSSL version used).')
+NOTE_CIPHERS = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: HIGH:!ADH:!MD5).')
NOTE_CLIENT_CERTS = N_('Skip, Accept or Require client certificates.')
NOTE_VERIFY_DEPTH = N_('Limit up to which depth certificates in a chain are used during the verification procedure (Default: 1)')
NOTE_ERROR_HANDLER = N_('Allows the selection of how to generate the error responses.')
Modified: cherokee/trunk/cherokee/cryptor.h
===================================================================
--- cherokee/trunk/cherokee/cryptor.h 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/cherokee/cryptor.h 2011-09-18 12:59:37 UTC (rev 6861)
@@ -35,6 +35,8 @@
CHEROKEE_BEGIN_DECLS
+#define CHEROKEE_CIPHERS_DEFAULT "HIGH:!ADH:!MD5"
+
/* Callback function prototipes
*/
typedef ret_t (* cryptor_func_new_t) (void **cryp);
Modified: cherokee/trunk/cherokee/virtual_server.c
===================================================================
--- cherokee/trunk/cherokee/virtual_server.c 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/cherokee/virtual_server.c 2011-09-18 12:59:37 UTC (rev 6861)
@@ -82,8 +82,10 @@
cherokee_buffer_init (&n->server_key);
cherokee_buffer_init (&n->certs_ca);
cherokee_buffer_init (&n->req_client_certs);
- cherokee_buffer_init (&n->ciphers);
+ cherokee_buffer_init (&n->ciphers);
+ cherokee_buffer_add_str (&n->ciphers, CHEROKEE_CIPHERS_DEFAULT);
+
ret = cherokee_buffer_init (&n->root);
if (unlikely(ret < ret_ok))
return ret;
@@ -1119,6 +1121,7 @@
cherokee_buffer_add_buffer (&vserver->req_client_certs, &conf->val);
} else if (equal_buf_str (&conf->key, "ssl_ciphers")) {
+ cherokee_buffer_clean (&vserver->ciphers);
cherokee_buffer_add_buffer (&vserver->ciphers, &conf->val);
} else if (equal_buf_str (&conf->key, "flcache") ||
http://svn.cherokee-project.com/changeset/6861
Author: alo
Date: 2011-09-18 14:59:37 +0200 (Sun, 18 Sep 2011)
Log Message:
-----------
New default for libssl ciphers: HIGH:!ADH:!MD5
Modified Paths:
--------------
cherokee/trunk/admin/PageVServer.py
cherokee/trunk/cherokee/cryptor.h
cherokee/trunk/cherokee/virtual_server.c
Modified: cherokee/trunk/admin/PageVServer.py
===================================================================
--- cherokee/trunk/admin/PageVServer.py 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/admin/PageVServer.py 2011-09-18 12:59:37 UTC (rev 6861)
@@ -45,7 +45,7 @@
NOTE_CERT = N_('This directive points to the PEM-encoded Certificate file for the server (Full path to the file)')
NOTE_CERT_KEY = N_('PEM-encoded Private Key file for the server (Full path to the file)')
NOTE_CA_LIST = N_('File containing the trusted CA certificates, utilized for checking the client certificates (Full path to the file)')
-NOTE_CIPHERS = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: all ciphers supported by the OpenSSL version used).')
+NOTE_CIPHERS = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: HIGH:!ADH:!MD5).')
NOTE_CLIENT_CERTS = N_('Skip, Accept or Require client certificates.')
NOTE_VERIFY_DEPTH = N_('Limit up to which depth certificates in a chain are used during the verification procedure (Default: 1)')
NOTE_ERROR_HANDLER = N_('Allows the selection of how to generate the error responses.')
Modified: cherokee/trunk/cherokee/cryptor.h
===================================================================
--- cherokee/trunk/cherokee/cryptor.h 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/cherokee/cryptor.h 2011-09-18 12:59:37 UTC (rev 6861)
@@ -35,6 +35,8 @@
CHEROKEE_BEGIN_DECLS
+#define CHEROKEE_CIPHERS_DEFAULT "HIGH:!ADH:!MD5"
+
/* Callback function prototipes
*/
typedef ret_t (* cryptor_func_new_t) (void **cryp);
Modified: cherokee/trunk/cherokee/virtual_server.c
===================================================================
--- cherokee/trunk/cherokee/virtual_server.c 2011-09-17 14:51:50 UTC (rev 6860)
+++ cherokee/trunk/cherokee/virtual_server.c 2011-09-18 12:59:37 UTC (rev 6861)
@@ -82,8 +82,10 @@
cherokee_buffer_init (&n->server_key);
cherokee_buffer_init (&n->certs_ca);
cherokee_buffer_init (&n->req_client_certs);
- cherokee_buffer_init (&n->ciphers);
+ cherokee_buffer_init (&n->ciphers);
+ cherokee_buffer_add_str (&n->ciphers, CHEROKEE_CIPHERS_DEFAULT);
+
ret = cherokee_buffer_init (&n->root);
if (unlikely(ret < ret_ok))
return ret;
@@ -1119,6 +1121,7 @@
cherokee_buffer_add_buffer (&vserver->req_client_certs, &conf->val);
} else if (equal_buf_str (&conf->key, "ssl_ciphers")) {
+ cherokee_buffer_clean (&vserver->ciphers);
cherokee_buffer_add_buffer (&vserver->ciphers, &conf->val);
} else if (equal_buf_str (&conf->key, "flcache") ||