Merge branch 'tls-ciphers' into 'master'

restrict TLS ciphers See merge request !601

Merge branch 'tls-ciphers' into 'master'
restrict TLS ciphers See merge request !601
03f0d4b7 · Petr Špaček · 2de02515 · e3d306ce · 03f0d4b7 · 03f0d4b7
Commit 03f0d4b7 authored Jun 08, 2018 by Petr Špaček
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

daemon/io.c daemon/io.c +4 -0

daemon/tls.c daemon/tls.c +3 -1

No files found.
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -307,6 +307,10 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls)
 		timeout += KR_CONN_RTT_MAX * 3;
 		if (!session->tls_ctx) {
 			session->tls_ctx = tls_new(master->loop->data);
+			if (!session->tls_ctx) {
+				worker_session_close(session);
+				return;
+			}
 			session->tls_ctx->c.session = session;
 			session->tls_ctx->c.handshake_state = TLS_HS_IN_PROGRESS;
 		}

--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -59,7 +59,9 @@ static int kres_gnutls_set_priority(gnutls_session_t session) {
 	static const char * const priorities =
 		"NORMAL:" /* GnuTLS defaults */
 		"-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */
-		"-COMP-ALL:+COMP-NULL"; /* no compression*/
+		 /* Some distros by default allow features that are considered
+		  * too insecure nowadays, so let's disable them explicitly. */
+		"-VERS-SSL3.0:-ARCFOUR-128:-COMP-ALL:+COMP-NULL";
 	const char *errpos = NULL;
 	int err = gnutls_priority_set_direct(session, priorities, &errpos);
 	if (err != GNUTLS_E_SUCCESS) {