hrev50422 adds 1 changeset to branch 'master'
old head: 7cdea13cf9d765ef86793ebab86f6167ee179abf
new head: 44ffe7c28fba04f0228c7895c8f1460397ef1f21
overview:
http://cgit.haiku-os.org/haiku/log/?qt=range&q=44ffe7c28fba+%5E7cdea13cf9d7
----------------------------------------------------------------------------
44ffe7c28fba: BSecureSocket: Explicitly set the list of ciphersuites.
OpenSSL's default cipherlist has a lot of spurious and arguably insecure
suites left in it for compatibility reasons. We have no need for all that,
so let's just use the suites Firefox/Chrome do.
[ Augustin Cavalier <waddlesplash@xxxxxxxxx> ]
----------------------------------------------------------------------------
Revision: hrev50422
Commit: 44ffe7c28fba04f0228c7895c8f1460397ef1f21
URL: http://cgit.haiku-os.org/haiku/commit/?id=44ffe7c28fba
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Sat Jul 16 18:47:17 2016 UTC
----------------------------------------------------------------------------
1 file changed, 18 insertions(+)
src/kits/network/libnetapi/SecureSocket.cpp | 18 ++++++++++++++++++
----------------------------------------------------------------------------
diff --git a/src/kits/network/libnetapi/SecureSocket.cpp
b/src/kits/network/libnetapi/SecureSocket.cpp
index 6892aba..b95e37c 100644
--- a/src/kits/network/libnetapi/SecureSocket.cpp
+++ b/src/kits/network/libnetapi/SecureSocket.cpp
@@ -192,6 +192,24 @@ BSecureSocket::Private::_CreateContext()
// Don't bother us with ERROR_WANT_READ.
SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY);
+ // Setup cipher suites.
+ // These suites are mostly the same ones used by Firefox 47 and Chrome
50.
+ SSL_CTX_set_cipher_list(sContext,
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256:"
+ "ECDHE-ECDSA-AES256-GCM-SHA384:"
+ "ECDHE-RSA-AES256-GCM-SHA384:"
+ "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:"
+ "ECDHE-RSA-CHACHA20-POLY1305-SHA256:"
+ "ECDHE-ECDSA-AES256-SHA:"
+ "ECDHE-ECDSA-AES128-SHA:"
+ "ECDHE-RSA-AES128-SHA:"
+ "ECDHE-RSA-AES256-SHA:"
+ "DHE-RSA-AES128-SHA:"
+ "DHE-RSA-AES256-SHA:"
+ "AES128-SHA:"
+ "AES256-SHA");
+
// Setup certificate verification
BPath certificateStore;
find_directory(B_SYSTEM_DATA_DIRECTORY, &certificateStore);