diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2024-02-04 18:40:29 +0000 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2024-02-04 18:52:02 +0000 |
commit | 2ee5e21b09df66b9755397a45fe9510084ba01bc (patch) | |
tree | d56d8074bec8da3c7a2339dbd6f6c3a588d9a13f /content/fetchers | |
parent | 23b267215391cb1a6750d6e82e74af89f9e20413 (diff) | |
download | netsurf-2ee5e21b09df66b9755397a45fe9510084ba01bc.tar.gz netsurf-2ee5e21b09df66b9755397a45fe9510084ba01bc.tar.bz2 |
fetchers/curl: modernise TLS 1.2 cipher suites
* Drop support for DHE completely (logjam plus compat woes
caused other browsers to do this some time ago)
* Minimise CBC-mode suites
* Fall back to non-PFS RSA suites if really necessary (we treat
this as a protocol downgrade as anything modern should either
be using TLS 1.3 or have support for the ECDHE suites)
Diffstat (limited to 'content/fetchers')
-rw-r--r-- | content/fetchers/curl.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 83d70a756..6878d9e6a 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -80,14 +80,25 @@ #define CIPHER_LIST \ /* disable everything */ \ "-ALL:" \ - /* enable TLSv1.2 PFS suites */ \ - "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \ - /* enable PFS AES GCM suites */ \ - "EECDH+AESGCM:EDH+AESGCM:" \ - /* Enable PFS AES CBC suites */ \ - "EECDH+AES:EDH+AES:" \ - /* Remove any PFS suites using weak DSA key exchange */ \ - "-DSS" + /* enable TLSv1.2 ECDHE AES GCM suites */ \ + "EECDH+AESGCM+TLSv1.2:" \ + /* enable ECDHE CHACHA20/POLY1305 suites */ \ + "EECDH+CHACHA20:" \ + /* Sort above by strength */ \ + "@STRENGTH:" \ + /* enable ECDHE (auth=RSA, mac=SHA1) AES CBC suites */ \ + "EECDH+aRSA+AES+SHA1" + +/** + * The legacy cipher suites the browser is prepared to use for TLS<1.3 + */ +#define CIPHER_LIST_LEGACY \ + /* as above */ \ + CIPHER_LIST":" \ + /* enable (non-PFS) RSA AES GCM suites */ \ + "RSA+AESGCM:" \ + /* enable (non-PFS) RSA (mac=SHA1) AES CBC suites */ \ + "RSA+AES+SHA1" /* Open SSL compatability for certificate handling */ #ifdef WITH_OPENSSL @@ -1242,6 +1253,12 @@ static CURLcode fetch_curl_set_options(struct curl_fetch_info *f) SETOPT(CURLOPT_PROXY, NULL); } + + if (curl_with_openssl) { + SETOPT(CURLOPT_SSL_CIPHER_LIST, + f->downgrade_tls ? CIPHER_LIST_LEGACY : CIPHER_LIST); + } + /* Force-enable SSL session ID caching, as some distros are odd. */ SETOPT(CURLOPT_SSL_SESSIONID_CACHE, 1); |