From 772f7ceb94242a8ebfadd0d4e31209c0b51c2923 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Tue, 25 May 2021 17:10:20 +0100 Subject: Implement support for setting TLSv1.3 ciphersuites in ssl_openssl. --- src/modules/extra/m_ssl_openssl.cpp | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 0f4e2d713..f84468da8 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -217,10 +217,20 @@ namespace OpenSSL bool SetCiphers(const std::string& ciphers) { + // TLSv1 to TLSv1.2 ciphers. ERR_clear_error(); return SSL_CTX_set_cipher_list(ctx, ciphers.c_str()); } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + bool SetCiphersuites(const std::string& ciphers) + { + // TLSv1.3+ ciphers. + ERR_clear_error(); + return SSL_CTX_set_ciphersuites(ctx, ciphers.c_str()); + } +#endif + bool SetCerts(const std::string& filename) { ERR_clear_error(); @@ -408,7 +418,7 @@ namespace OpenSSL if (digest == NULL) throw Exception("Unknown hash type " + hash); - std::string ciphers = tag->getString("ciphers"); + const std::string ciphers = tag->getString("ciphers"); if (!ciphers.empty()) { if ((!ctx.SetCiphers(ciphers)) || (!clictx.SetCiphers(ciphers))) @@ -418,6 +428,20 @@ namespace OpenSSL } } + const std::string ciphersuites = tag->getString("ciphersuites"); + if (!ciphers.empty()) + { +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + if ((!ctx.SetCiphersuites(ciphersuites)) || (!clictx.SetCiphersuites(ciphersuites))) + { + ERR_print_errors_cb(error_callback, this); + throw Exception("Can't set ciphersuite list to \"" + ciphersuites + "\" " + lasterr); + } +#else + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "You have configured but your version of OpenSSL does not support TLSv1.3+"); +#endif + } + #ifndef OPENSSL_NO_ECDH const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) -- cgit v1.2.3