proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-06-30 17:25:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add configurable 'honor_cipher_order'

Browse Source 
Needed to fix #2069.

Prefering the ciphers set in the server, instead of relying on the offer of the
client is considered good practice in TLS1.[012] (see e.g. [0]).

[0] https://cipherli.st/

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2019-02-15 12:35:59 +01:00 committed by Thomas Lamprecht
parent 55af714ea8
commit 54c0ead916
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
PVE/APIServer/AnyEvent.pm
View File

@ -1644,8 +1644,13 @@ sub new {
$self->{end_cond} = AnyEvent->condvar;
if ($self->{ssl}) {
my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE;
if ( delete $self->{ssl}->{honor_cipher_order} ) {
$tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;
}
$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
}
if ($self->{spiceproxy}) {