openssl: Prefer tls1.2. Only use secure ciphers.

2016-03-04 09:15:12 -08:00 · 2016-03-04 09:15:12 -08:00 · 3576c0930c
parent 27b954f95b
commit 3576c0930c
4 changed files with 30 additions and 10 deletions
--- a/basis/io/sockets/secure/openssl/openssl.factor
+++ b/basis/io/sockets/secure/openssl/openssl.factor
@ -12,8 +12,9 @@ splitting unicode.case ;
 IN: io.sockets.secure.openssl

 GENERIC: ssl-method ( symbol -- method )
-
 M: TLSv1 ssl-method drop TLSv1_method ;
+M: TLSv1.1 ssl-method drop TLSv1_1_method ;
+M: TLSv1.2 ssl-method drop TLSv1_2_method ;

 TUPLE: openssl-context < secure-context aliens sessions ;

@ -163,12 +164,18 @@ SYMBOL: default-secure-context
 : save-session ( session addrspec -- )
    current-secure-context sessions>> set-at ;

+: set-secure-cipher-list-only ( ssl -- ssl )
+    dup handle>>
+    "DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA"
+    SSL_set_cipher_list ssl-error ;
+
 : <ssl-handle> ( fd -- ssl )
    [
        ssl-handle new-disposable |dispose
-        current-secure-context handle>> SSL_new
+        current-secure-context handle>> SSL_new |dispose
        dup ssl-error >>handle
        swap >>file
+        set-secure-cipher-list-only
    ] with-destructors ;

 :: <ssl-socket> ( winsock hostname -- ssl )
--- a/basis/io/sockets/secure/secure.factor
+++ b/basis/io/sockets/secure/secure.factor
@ -1,8 +1,8 @@
 ! Copyright (C) 2008, 2010 Slava Pestov.
 ! See http://factorcode.org/license.txt for BSD license.
-USING: accessors calendar combinators delegate destructors io
-io.sockets io.sockets.private kernel namespaces present
-sequences summary system vocabs ;
+USING: accessors alien.libraries calendar combinators delegate
+destructors io io.sockets io.sockets.private kernel memoize
+namespaces present sequences summary system vocabs ;
 IN: io.sockets.secure

 SYMBOL: secure-socket-timeout
@ -17,7 +17,17 @@ HOOK: ssl-certificate-verification-supported? secure-socket-backend ( -- ? )
 M: object ssl-supported? f ;
 M: object ssl-certificate-verification-supported? f ;

-SINGLETONS: TLSv1 ;
+SINGLETONS: TLSv1 TLSv1.1 TLSv1.2 ;
+
+ERROR: no-tls-supported ;
+
+MEMO: best-tls-method ( -- class )
+    {
+        { [ "TLSv1_2_method" "libssl" dlsym? ] [ TLSv1.2 ] }
+        { [ "TLSv1_1_method" "libssl" dlsym? ] [ TLSv1.1 ] }
+        { [ "TLSv1_method" "libssl" dlsym? ] [ TLSv1 ] }
+        [ no-tls-supported ]
+    } cond ;

 TUPLE: secure-config
 method
@ -30,7 +40,7 @@ ephemeral-key-bits ;

 : <secure-config> ( -- config )
    secure-config new
-        TLSv1 >>method
+        best-tls-method >>method
        1024 >>ephemeral-key-bits
        ssl-certificate-verification-supported? >>verify ;

--- a/basis/openssl/libssl/libssl.factor
+++ b/basis/openssl/libssl/libssl.factor
@ -362,6 +362,10 @@ FUNCTION: ssl-method TLSv1_server_method (  )

 FUNCTION: ssl-method TLSv1_method (  )

+FUNCTION: ssl-method TLSv1_1_method (  )
+
+FUNCTION: ssl-method TLSv1_2_method (  )
+
 ! Creates the context
 FUNCTION: SSL_CTX* SSL_CTX_new ( ssl-method method )

--- a/basis/openssl/openssl.factor
+++ b/basis/openssl/openssl.factor
@ -23,8 +23,7 @@ SINGLETON: openssl
 : init-ssl ( -- )
    SSL_library_init ssl-error
    SSL_load_error_strings
-    OpenSSL_add_all_digests
-    OpenSSL_add_all_ciphers ;
+    OpenSSL_add_all_digests ;

 SYMBOL: ssl-initialized?