Feature: Optional SSL CTX ciphersuite selection #28
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a feature for the new SSL http_backend.
Currently, the
ssl_context
inits OpenSSL with OpenSSL_add_ssl_algorithms #L25.This is okay for non-production or internal environments but should be avoided in production,
mainly due to the lax ciphersuite selection performed by OpenSSL.
As stated in the official OpenSSL docs:
OpenSSL_add_ssl_algorithms
is a synonym forSSL_library_init()
.In order to allow developers to select a ciphersuite of their choice,
SSL_CTX_set_cipher_list
should be used.This PR makes use of that function and (optionally) enables it by starting
http_serve
with the news::ssl_ciphers
symbol.Example:
To keep backward-compatibility and more freedom, this option is optional, and the
http_serve
signature canremain as is:
An empty ciphersuite string will fallback to the default behaviour, that is skipping
SSL_CTX_set_cipher_list
.Example:
is the same as
Compiled and tested with CLang 9 (LLVM 9) @ Ubuntu 18.04.4 LTS (bionic beaver)
I hope I was able to get the idea across.
Feel free to change, approve or dismiss this PR.
Great library and best regards,
Steve