summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn-Mark Bell <jmb@netsurf-browser.org>2018-04-22 12:54:23 +0000
committerJohn-Mark Bell <jmb@netsurf-browser.org>2018-04-22 12:54:23 +0000
commita8bf9b05aa94392b391d6015ed037e5c241ab172 (patch)
tree15258e7a8d60491374bc9cec6573fe040b9f45bb
parent7d4349035d7981067d26dc02f750a36a9adc52cd (diff)
downloadnetsurf-a8bf9b05aa94392b391d6015ed037e5c241ab172.tar.gz
netsurf-a8bf9b05aa94392b391d6015ed037e5c241ab172.tar.bz2
HTTPS: restrict ciphersuites
-rw-r--r--content/fetchers/curl.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index d37ce115b..bf9d88bc1 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -67,6 +67,21 @@
/** maximum number of X509 certificates in chain for TLS connection */
#define MAX_CERTS 10
+/* the ciphersuites we are willing to use */
+#define CIPHER_LIST \
+ /* disable everything */ \
+ "-ALL:" \
+ /* enable TLSv1.2 PFS suites */ \
+ "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \
+ /* enable PFS AES GCM suites */ \
+ "EECDH+AESGCM:EDH+AESGCM:" \
+ /* Enable PFS AES CBC suites */ \
+ "EECDH+AES:EDH+AES:" \
+ /* Enable non-PFS fallback suite */ \
+ "AES128-SHA:" \
+ /* Remove any PFS suites using weak DSA key exchange */ \
+ "-DSS"
+
/** SSL certificate info */
struct cert_info {
X509 *cert; /**< Pointer to certificate */
@@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
/* Ensure server rejects the connection if downgraded too far */
SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
#endif
+ /* Disable TLS1.2 ciphersuites */
+ SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2");
}
SSL_CTX_set_options(sslctx, options);
@@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void)
SETOPT(CURLOPT_LOW_SPEED_TIME, 180L);
SETOPT(CURLOPT_NOSIGNAL, 1L);
SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout));
+ SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST);
if (nsoption_charp(ca_bundle) &&
strcmp(nsoption_charp(ca_bundle), "")) {