#ifdef HAVE_OPENSSL
SSL_CTX *ssl_ctx = NULL; // This SSL context is used for all sessions.
-
+char *ssl_cipher_list = CIT_CIPHERS;
// If a private key does not exist, generate one now.
void generate_key(char *keyfilename) {
return;
}
+ if (!(SSL_CTX_set_cipher_list(new_ctx, ssl_cipher_list))) {
+ syslog(LOG_ERR, "crypto: SSL_CTX_set_cipher_list failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
syslog(LOG_DEBUG, "crypto: using certificate chain %s", file_crpt_file_cer);
SSL_CTX_use_certificate_chain_file(new_ctx, file_crpt_file_cer);
syslog(LOG_DEBUG, "crypto: using private key %s", file_crpt_file_key);
SSL_CTX_use_PrivateKey_file(new_ctx, file_crpt_file_key, SSL_FILETYPE_PEM);
- if ( !SSL_CTX_check_private_key(new_ctx) ) {
- syslog(LOG_ERR, "crypto: cannot install certificate: %s", ERR_reason_error_string(ERR_get_error()));
- }
old_ctx = ssl_ctx;
ssl_ctx = new_ctx; // All future binds will use the new certificate
// Can't notify the client of an error here; they will
// discover the problem at the SSL layer and should
// revert to unencrypted communications.
- long errval;
- char error_string[128];
-
- errval = SSL_get_error(CC->ssl, retval);
- syslog(LOG_ERR, "crypto: SSL_accept failed: retval=%d, errval=%ld, err=%s",
- retval,
- errval,
- ERR_error_string(errval, error_string)
- );
+ syslog(LOG_ERR, "crypto: SSL_accept failed: %s", ERR_reason_error_string(ERR_get_error()));
SSL_free(CC->ssl);
CC->ssl = NULL;
return;
*/
#define SIGN_DAYS 1100 // Just over three years
-//#define CIT_CIPHERS "ALL:RC4+RSA:+SSLv2:+TLSv1:!MD5:@STRENGTH" /* see ciphers(1) */
+// Which ciphers will be offered; see https://www.openssl.org/docs/manmaster/man1/ciphers.html
+//#define CIT_CIPHERS "ALL:RC4+RSA:+SSLv2:+TLSv1:!MD5:@STRENGTH"
+#define CIT_CIPHERS "DEFAULT"
#ifdef HAVE_OPENSSL
#define OPENSSL_NO_KRB5 /* work around redhat b0rken ssl headers */