Branch: Tag:

2015-12-14

2015-12-14 11:42:30 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Enable the cipher strength selector in recent Pike 7.8.

Fixes issue with RC4 suites being available by default.

227:    "file, leave this field empty to use the "    "certificate file only.")));    - #if constant(SSL.ServerConnection) -  // Pike 8.0 and later has much more advanced support for SSL/TLS. + #if !constant(SSL.Constants.preferred_rsa_suites) +  // Pike 8.0 or recent Pike 7.8. +  // They have SSL.[Cc]ontext()->get_suites().       // 112 bits is the maximum strength to still retain the    // DES-3 suites, which are required in the TLS standards.
258: Inside #if constant(SSL.ServerConnection)
   "<dd>AES-256</dd>\n"    "<dd>Camellia-256</dd>\n"    "</dl>\n" -  "</p>\n")))->set_range(0, Variable.no_limit); +  "</p>\n" +  "<p>Cipher strengths lower than 112 bits are " +  "<b>NOT</b> recommended, and there are RFCs that " +  "prohibit the use of all those suites.</p>\n")))-> +  set_range(0, Variable.no_limit); + #endif    -  + #if constant(SSL.ServerConnection) +  // Pike 8.0 and later has much more advanced support for SSL/TLS. +     defvar("ssl_suite_filter",    Variable.IntChoice(0,    ([