pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:36:   #include "tls.h"      import ".";   import Constants;      protected void create()   {    SSL3_DEBUG_MSG("SSL.Context->create\n");       /* Backwards compatibility */ -  preferred_suites = get_suites(128, 1); +  multiset(int) blocked = (< CIPHER_rc4 >); +  preferred_suites = get_suites(128, 1, blocked);   }      //! The minimum supported protocol version.   //!   //! Defaults to @[PROTOCOL_TLS_1_0].   //!   //! @note   //! This value should not be greater than @[max_version].   ProtocolVersion min_version = PROTOCOL_TLS_1_0;   
pike.git/lib/modules/SSL.pmod/Context.pike:369:   //! @value 0   //! Require forward secrecy (ephemeral keys).   //! @value 1   //! Also allow certificate based key exchanges.   //! @value 2   //! Allow anonymous server key exchange. Note that this   //! allows for man in the middle attacks.   //! @endint   //!   //! @param blacklisted_ciphers - //! Multiset of ciphers that are NOT to be used. + //! Multiset of ciphers that are NOT to be used. By default RC4, DES + //! and export ciphers are blacklisted. An empty multiset needs to + //! be given to unlock these.   //!   //! @param blacklisted_kes   //! Multiset of key exchange methods that are NOT to be used.   //!   //! @param blacklisted_hashes   //! Multiset of hash algoriths that are NOT to be used.   //!   //! @param blacklisted_ciphermodes   //! Multiset of cipher modes that are NOT to be used.   //!
pike.git/lib/modules/SSL.pmod/Context.pike:443:       // Filter short effective key lengths.    if (min_keylength > 0) {    res = filter(res,    lambda(int suite, int min_keylength) {    return min_keylength <=    CIPHER_effective_keylengths[CIPHER_SUITES[suite][1]];    }, min_keylength);    }    -  if (blacklisted_ciphers) { +  if( !blacklisted_ciphers ) +  { +  // Block export ciphers and DES because they are demonstrably +  // broken. Block RC4 because it probably is (RFC 7465). +  blacklisted_ciphers = (< CIPHER_rc4, CIPHER_des, CIPHER_rc4_40, +  CIPHER_rc2_40, CIPHER_des40 >); +  } +  if( sizeof(blacklisted_ciphers) )    res = filter(res,    lambda(int suite, multiset(int) blacklisted_hashes) {    return !blacklisted_hashes[CIPHER_SUITES[suite][1]];    }, blacklisted_ciphers); -  } +       #if !constant(Crypto.SHA384)    // Filter suites needing SHA384 as our Nettle doesn't support it.    if (!blacklisted_hashes)    blacklisted_hashes = (< HASH_sha384 >);    else    blacklisted_hashes[HASH_sha384] = 1;   #endif    if (blacklisted_hashes) {    res = filter(res,