Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Optional SSL CTX ciphersuite selection #28

Merged
merged 8 commits into from
Jul 13, 2020

Conversation

Burnett01
Copy link
Contributor

This PR introduces a feature for the new SSL http_backend.

Currently, the ssl_context inits OpenSSL with OpenSSL_add_ssl_algorithms #L25.

This is okay for non-production or internal environments but should be avoided in production,
mainly due to the lax ciphersuite selection performed by OpenSSL.

As stated in the official OpenSSL docs:

WARNING
SSL_library_init() adds ciphers and digests used directly and indirectly by SSL/TLS. ...Source...

OpenSSL_add_ssl_algorithms is a synonym for SSL_library_init().

In order to allow developers to select a ciphersuite of their choice, SSL_CTX_set_cipher_list should be used.

This PR makes use of that function and (optionally) enables it by starting http_serve with the new s::ssl_ciphers symbol.

Example:

http_serve(api, 443, s::ssl_key = "./server.key", s::ssl_certificate = "./server.crt", s::ssl_ciphers = "ALL:!NULL");

To keep backward-compatibility and more freedom, this option is optional, and the http_serve signature can
remain as is:

http_serve(api, 443, s::ssl_key = "./server.key", s::ssl_certificate = "./server.crt");

An empty ciphersuite string will fallback to the default behaviour, that is skipping SSL_CTX_set_cipher_list.

Example:

http_serve(api, 443, s::ssl_key = "./server.key", s::ssl_certificate = "./server.crt", s::ssl_ciphers = "");

is the same as

http_serve(api, 443, s::ssl_key = "./server.key", s::ssl_certificate = "./server.crt");

Compiled and tested with CLang 9 (LLVM 9) @ Ubuntu 18.04.4 LTS (bionic beaver)


I hope I was able to get the idea across.

Feel free to change, approve or dismiss this PR.

Great library and best regards,
Steve

Copy link
Owner

@matt-42 matt-42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Burnett01 . Looks good to me. I'm merging it.

@matt-42 matt-42 merged commit 3606b75 into matt-42:master Jul 13, 2020
@Burnett01 Burnett01 deleted the feat/ssl-select-ciphersuite branch July 14, 2020 16:55
@Burnett01 Burnett01 restored the feat/ssl-select-ciphersuite branch July 2, 2021 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants