Set SSL options to sane default and enfore server cipher preferences

Original PR #856
author: Julien Vehent <julien@linuxwall.info> 2014-05-21 09:39:17 -0400
committer: Attila Molnar <attilamolnar@hush.com> 2014-06-30 14:33:20 +0200
commit: ac76c832925b786e188fc2c45da5fb7ae5128df3 (patch)
tree: bc31af4bf8ab2af5dddd8deedee32704142e358f /src/modules/extra/m_ssl_openssl.cpp
parent: 7f7c3a5926d5c977a6339228d8d4160fbadb1c2f (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 9ebc0de9d..d8ea16bdf 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -103,6 +103,9 @@ namespace OpenSSL
 		Context(SSL_CTX* context)
 			: ctx(context)
 		{
+			// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
+			// and when choosing a cipher, use the server's preferences instead of the client preferences.
+			SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
 			SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
author	Julien Vehent <julien@linuxwall.info>	2014-05-21 09:39:17 -0400
committer	Attila Molnar <attilamolnar@hush.com>	2014-06-30 14:33:20 +0200
commit	ac76c832925b786e188fc2c45da5fb7ae5128df3 (patch)
tree	bc31af4bf8ab2af5dddd8deedee32704142e358f /src/modules/extra/m_ssl_openssl.cpp
parent	7f7c3a5926d5c977a6339228d8d4160fbadb1c2f (diff)