You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 lines
3.5 KiB
89 lines
3.5 KiB
diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c
|
|
--- librelp-1.10.0/src/tcp.c.crypto-compliance 2021-02-16 09:07:24.000000000 +0100
|
|
+++ librelp-1.10.0/src/tcp.c 2021-08-17 10:13:53.368936612 +0200
|
|
@@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL()
|
|
relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
|
|
{
|
|
int r;
|
|
- char pristringBuf[4096];
|
|
- char *pristring;
|
|
ENTER_RELPFUNC;
|
|
- /* Set default priority string (in simple cases where the user does not care...) */
|
|
- if(pThis->pristring == NULL) {
|
|
- if (pThis->authmode == eRelpAuthMode_None) {
|
|
- if(pThis->bEnableTLSZip) {
|
|
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
|
|
- } else {
|
|
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
|
|
- }
|
|
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
|
- pristring = pristringBuf;
|
|
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
|
|
- } else {
|
|
- r = gnutls_set_default_priority(pThis->session);
|
|
- strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
|
|
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
|
- pristring = pristringBuf;
|
|
- }
|
|
-
|
|
- } else {
|
|
- pristring = pThis->pristring;
|
|
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
|
|
- }
|
|
-
|
|
+ r = gnutls_set_default_priority(pThis->session);
|
|
if(r == GNUTLS_E_INVALID_REQUEST) {
|
|
ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
|
|
} else if(r != GNUTLS_E_SUCCESS) {
|
|
@@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const
|
|
}
|
|
|
|
finalize_it:
|
|
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
|
|
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet);
|
|
|
|
if(iRet != RELP_RET_OK) {
|
|
chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r);
|
|
@@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS
|
|
static relpRetVal LIBRELP_ATTR_NONNULL()
|
|
relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis)
|
|
{
|
|
- char pristringBuf[4096];
|
|
- char *pristring;
|
|
ENTER_RELPFUNC;
|
|
- /* Compute priority string (in simple cases where the user does not care...) */
|
|
- if(pThis->pristring == NULL) {
|
|
- if (pThis->authmode == eRelpAuthMode_None) {
|
|
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
|
|
- && !defined(LIBRESSL_VERSION_NUMBER)
|
|
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
|
|
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
|
|
- sizeof(pristringBuf));
|
|
- #else
|
|
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
|
|
- sizeof(pristringBuf));
|
|
- #endif
|
|
- } else {
|
|
- strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
|
|
- }
|
|
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
|
- pristring = pristringBuf;
|
|
- } else {
|
|
- /* We use custom CipherString if used sets it by SslConfCmd */
|
|
- pristring = pThis->pristring;
|
|
- }
|
|
|
|
- if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){
|
|
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring);
|
|
+ if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){
|
|
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n");
|
|
ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);
|
|
}
|
|
|
|
finalize_it:
|
|
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
|
|
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet);
|
|
LEAVE_RELPFUNC;
|
|
}
|
|
#else
|