summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoshua Judson Rosen2014-10-20 00:31:09 -0400
committerJoshua Judson Rosen2014-10-20 00:31:09 -0400
commitfc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990 (patch)
tree231908e613dd600cc86fa88b5ba78b86b7af0f80
parentafclient: support loading complete cert-chains from cerfile. (diff)
downloadapf-fc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990.tar.gz
afserver: avoid requiring a specific SSL protocol version
Trust the clients to negotiate the latest/best protocol version they can. This should generally improve security over time (as OpenSSL improves and implements improved protocols) without having the APF codebase or server/client deployments need to chase latest OpenSSL API additions, causing portability problems, or breaking client deployments that are hard to upgrade.
-rw-r--r--src/afserver.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/afserver.c b/src/afserver.c
index f509404..4c00d26 100644
--- a/src/afserver.c
+++ b/src/afserver.c
@@ -515,8 +515,17 @@ main(int argc, char **argv)
maxfdp1 = 0;
SSL_library_init();
- method = SSLv3_server_method();
+
+ /* Trust the clients to use whatever the latest/best SSL/TLS protocol
+ they can. This should generally mean that security automatically
+ improves as the server and client deployments upgrade to later
+ OpenSSL releases--without breaking older client deployments
+ that, for whatever reason, can't be immediately upgraded to
+ the latest APF/OpenSSL versions used on the server.
+ */
+ method = SSLv23_server_method();
ctx = SSL_CTX_new(method);
+
if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) {
aflog(LOG_T_INIT, LOG_I_CRIT,
"Setting ciphers list failed... exiting");