Roxen.git / server / base_server / global_variables.pike

version» Context lines:

Roxen.git/server/base_server/global_variables.pike:212:    "again after some minutes). Thus, if the user doesn't allow "    "the cookie to be set, she won't be bothered with "    "multiple requests."),0, do_set_cookie( o ));   }      protected int hide_if_empty(RequestID id, Variable.Variable var)   {    return !sizeof(var->query());   }    + protected void update_ssl_suite_filter_default(Variable.Variable var) + { +  int val = var->query(); +  if (!val || (val & 16)) { +  return; +  } +  val |= 16; // Upgrade marker. +  if (!val & 4) { +  val |= 4; // Change default to ephemeral. +  } +  var->low_set(val); + } +    void set_up_ssl_variables( Protocol o )   {    function(DEFVAR) defvar = o->defvar;       defvar( "ssl_keys", o->CertificateKeyChoiceVariable    (VAR_NO_DEFAULT,    LOCALE(1125, "SSL/TLS Certificate(s)"),    LOCALE(1126, "<p>The TLS certificate(s) to use.</p>\n"    "<p>Certificate and key files matching the "    "<b>Global Variables/Settings/Certificate and "
Roxen.git/server/base_server/global_variables.pike:321: Inside #if constant(SSL.ServerConnection)
      defvar( "ssl_password",    Variable.String("", VAR_INVISIBLE,    LOCALE(1082, "SSL decryption password"),    LOCALE(1083, "Optional password to decrypt the "    "SSL key file(s).")));       defvar("ssl_suite_filter",    Variable.IntChoice(0,    ([ -  0: "Default", -  4: "Ephemeral key exchanges only", -  8: "Suite B (relaxed)", -  12: "Suite B (ephemeral only)", -  14: "Suite B (transitional)", -  15: "Suite B (strict)", +  0: "Roxen default policy", +  16: "Allow RSA-encryption", +  20: "Ephemeral key exchanges only", +  24: "Suite B (allow RSA-encryption)", +  28: "Suite B (ephemeral only)", +  30: "Suite B (transitional)", +  31: "Suite B (strict)",    ]),    0,    LOCALE(1084, "Additional suite filtering"),    LOCALE(1085, "<p>Selects an additional cipher suite "    "policy.</p>"    "<p>The supported filter modes are:\n"    "<dl>\n" -  "<dt>Default</dt>\n" -  "<dd>Use the default cipher suite selection " -  "policy, and allow all cipher suites that " -  "have sufficient strength.</dd>\n" +  "<dt>Roxen default policy</dt>\n" +  "<dd>Use the Roxen default cipher suite " +  "selection policy. This is currently the " +  "same as <b>Ephemeral key exchanges " +  "only</b>, but may differ in other " +  "versions of Roxen.</dd>\n" +  "<dt>Allow RSA-encryption</dt>\n" +  "<dd>Allow old cipher suites that use RSA-" +  "encryption for the key-exchange. " +  "These suites are vulnerable to the " +  "<a href='https://robotattack.org/'>" +  "ROBOT</a> vulnerability, and should " +  "usually <b>NOT</b> be allowed.</dd>\n"    "<dt>Ephemeral key exchanges only</dt>\n"    "<dd>Only allow cipher suites that use a "    "key exchange with ephemeral keys (aka "    "\"Perfect Forward Security\"). Ie "    "either ECDHE or DHE.</dd>\n" -  "<dt>Suite B (relaxed)</dt>\n" -  "<dd>Same as <b>Default</b>, but prefer the " -  "suites specified in <b>Suite B</b>.</dd>\n" +  "<dt>Suite B (allow RSA-encryption)</dt>\n" +  "<dd>Same as <b>Allow RSA-encryption</b>, " +  "but prefer the suites specified in " +  "<b>Suite B</b>. Should usually <b>NOT</b> " +  "be used.</dd>\n"    "<dt>Suite B (ephemeral only)</dt>\n"    "<dd>Same as <b>Ephemeral key exchanges "    "only</b>, but prefer the suites specified "    "in <b>Suite B</b>.</dd>\n"    "<dt>Suite B (transitional)</dt>\n"    "<dd>Support only the suites specified by "    "RFCs 5430 and 6460.</dd>\n"    "<dt>Suite B (strict)</dt>\n"    "<dd>Support only the suites specified by "    "RFC 6460.</dt>\n"    "</dl>\n"    "</p>\n"    "<p>Note: Full Suite B operation is not "    "supported in all configurations.</p>\n"    "<p>Note: For full Suite B compliance a "    "suitable certificate must also be " -  "used.</p>"))); +  "used.</p>")))-> +  set_changed_callback(update_ssl_suite_filter_default);   #endif /* SSL.ServerConnection */   #if constant(SSL.Constants.PROTOCOL_TLS_MAX)    mapping(SSL.Constants.ProtocolVersion: string) ssl_versions = ([    SSL.Constants.PROTOCOL_SSL_3_0: "SSL 3.0",    SSL.Constants.PROTOCOL_TLS_1_0: "TLS 1.0 (aka SSL 3.1)",    ]);   #if constant(SSL.Constants.PROTOCOL_TLS_1_1)    // NB: The symbol may be available, but the Pike binary might be to old...    for (SSL.Constants.ProtocolVersion v = SSL.Constants.PROTOCOL_TLS_1_1;    v <= SSL.Constants.PROTOCOL_TLS_MAX; v++) {